Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Halkbank.exe

Overview

General Information

Sample Name:Halkbank.exe
Analysis ID:528764
MD5:4b230a305cc22a04446b397310070d56
SHA1:208524b096c579b89579febff0b40f752b4e7db4
SHA256:a22ca2c5d6086e8c6703deb2e345efc08627e7063c447d60babe6edb17503856
Tags:AgentTeslaexegeoHalkbankTUR
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Halkbank.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\Halkbank.exe" MD5: 4B230A305CC22A04446B397310070D56)
    • RegSvcs.exe (PID: 5972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 4232 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Halkbank.exe.3e39bb8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Halkbank.exe.3e39bb8.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.RegSvcs.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.RegSvcs.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.Halkbank.exe.3e04198.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 20 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank.exe" , ParentImage: C:\Users\user\Desktop\Halkbank.exe, ParentProcessId: 6272, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5972
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank.exe" , ParentImage: C:\Users\user\Desktop\Halkbank.exe, ParentProcessId: 6272, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5972

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Halkbank.exeVirustotal: Detection: 19%Perma Link
                      Source: 5.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: Halkbank.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Halkbank.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000018.00000003.501131452.0000000004FE8000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501577620.0000000004FE9000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb' source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdbHk source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: .pdb&&=8 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wbemcomn.pdb& source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdb8 source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb"" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbu source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb@ source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\RegSvcs.pdb6 source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: \??\C:\Windows\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb= source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
                      Source: Binary string: wbemprox.pdbb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Configuration.pdbH source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: CustomMarshalers.pdbCA source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbk source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb.[ source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
                      Source: Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb{{(9 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbd source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3%l source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: ws2_32.pdbV source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://OGxUTf.com
                      Source: WerFault.exe, 00000018.00000002.532293810.0000000004EB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: Amcache.hve.24.drString found in binary or memory: http://upx.sf.net
                      Source: RegSvcs.exe, 00000005.00000000.491450693.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 5.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 5.0.RegSvcs.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: Halkbank.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_009FA2A9
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_06100F28
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_06100040
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_061046FD
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_061047F0
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_061047E1
                      Source: C:\Users\user\Desktop\Halkbank.exeCode function: 1_2_009FA035
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F10040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F18A48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F12A29
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F18828
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F1B6E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F19878
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F2C2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F21FE2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F2AB70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F22768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F27CB6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F27880
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F279A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F2795F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F27A09
                      Source: Halkbank.exe, 00000001.00000002.289355845.0000000000A8A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeBSTRHand.exeJ vs Halkbank.exe
                      Source: Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs Halkbank.exe
                      Source: Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Halkbank.exe
                      Source: Halkbank.exe, 00000001.00000002.292657318.0000000006080000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Halkbank.exe
                      Source: Halkbank.exe, 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs Halkbank.exe
                      Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Halkbank.exe
                      Source: Halkbank.exeBinary or memory string: OriginalFilenameSafeBSTRHand.exeJ vs Halkbank.exe
                      Source: Halkbank.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Halkbank.exeVirustotal: Detection: 19%
                      Source: Halkbank.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Halkbank.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Halkbank.exe "C:\Users\user\Desktop\Halkbank.exe"
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Halkbank.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER819B.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
                      Source: C:\Users\user\Desktop\Halkbank.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5972
                      Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Halkbank.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Halkbank.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Halkbank.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000018.00000003.501131452.0000000004FE8000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501577620.0000000004FE9000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb' source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdbHk source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: .pdb&&=8 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wbemcomn.pdb& source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdb8 source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb"" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbu source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb@ source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\RegSvcs.pdb6 source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: \??\C:\Windows\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb= source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
                      Source: Binary string: wbemprox.pdbb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Configuration.pdbH source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: CustomMarshalers.pdbCA source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbk source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb.[ source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
                      Source: Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb{{(9 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbd source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3%l source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
                      Source: Binary string: ws2_32.pdbV source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Halkbank.exe, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 1.0.Halkbank.exe.9f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 1.2.Halkbank.exe.9f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F1718B push 8BFFFFFFh; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.70769358931
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 1.2.Halkbank.exe.2ded24c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Halkbank.exe PID: 6272, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Halkbank.exe, 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Halkbank.exe, 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Halkbank.exe TID: 6016Thread sleep time: -36926s >= -30000s
                      Source: C:\Users\user\Desktop\Halkbank.exe TID: 3340Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Halkbank.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3217
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6617
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Halkbank.exeThread delayed: delay time: 36926
                      Source: C:\Users\user\Desktop\Halkbank.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Amcache.hve.24.drBinary or memory string: VMware
                      Source: Amcache.hve.24.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.24.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.24.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.24.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: WerFault.exe, 00000018.00000003.529964299.0000000004FD6000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.532467720.0000000004FD6000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.532293810.0000000004EB0000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.529529898.0000000004FD6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.24.drBinary or memory string: VMware, Inc.me
                      Source: WerFault.exe, 00000018.00000003.529466977.0000000004FE0000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.532482185.0000000004FE2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWh
                      Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.24.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.24.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: WerFault.exe, 00000018.00000003.527444365.0000000004FE8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                      Source: Amcache.hve.24.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.24.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.24.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.24.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.24.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.24.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.24.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.24.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.24.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F1C308 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DF8008
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Halkbank.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Halkbank.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Users\user\Desktop\Halkbank.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Halkbank.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Amcache.hve.24.dr, Amcache.hve.LOG1.24.drBinary or memory string: c:\users\user\desktop\procexp.exe
                      Source: Amcache.hve.24.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.24.dr, Amcache.hve.LOG1.24.drBinary or memory string: procexp.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e39bb8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e04198.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e39bb8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e04198.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Halkbank.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 4232, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5972, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e39bb8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e04198.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e39bb8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Halkbank.exe.3e04198.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Halkbank.exe PID: 6272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 4232, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection312Masquerading1OS Credential Dumping1Security Software Discovery231Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion141SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion141NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Halkbank.exe20%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.RegSvcs.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.RegSvcs.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://OGxUTf.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                          		high
                          http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://DynDns.comDynDNSRegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://OGxUTf.comRegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                      		high
                                      https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://upx.sf.netAmcache.hve.24.drfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                                		high
                                                https://api.ipify.org%RegSvcs.exe, 00000005.00000000.491450693.0000000002ED1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipHalkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmpfalse
                                                    		high

                                                    Contacted IPs

                                                    No contacted IP infos

                                                    General Information

                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                    Analysis ID:528764
                                                    Start date:25.11.2021
                                                    Start time:18:46:25
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 0s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Halkbank.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:26
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
                                                    EGA Information:Failed
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 92%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    18:47:18API Interceptor2x Sleep call for process: Halkbank.exe modified
                                                    18:47:30API Interceptor613x Sleep call for process: RegSvcs.exe modified
                                                    18:49:14API Interceptor1x Sleep call for process: WerFault.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6e42c2ecbe67857e042102e8f977834d8ccb729_75d5926b_11ee2609\Report.wer
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.1287522346016217
                                                    Encrypted:false
                                                    SSDEEP:192:I4kGbdHBUZMXaaPXvJCM34/u7sVS274Itx:ftBBUZMXaapP34/u7sVX4Itx
                                                    MD5:CBE3312FDE05A798F5F92170E696AED0
                                                    SHA1:E43A6E8BAB45A674F7FFE5F9A0B9475CDD71FF68
                                                    SHA-256:AD59069D0E0B3B7123C5F4F1D429FEDAF4663EEE1D46F4CA970DD00CF02FA9E7
                                                    SHA-512:8397A797E8D17F69333384CD95BCE0BC3F6E4042FD087AC13BBAF5C7D370C8C4886082396F422A150264A0DC4310A9416803F627272D1FD877B00E63BE3499C4
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.6.8.5.4.1.9.8.5.9.6.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.6.8.5.5.2.1.2.6.6.0.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.0.e.c.b.6.a.-.5.7.8.d.-.4.4.d.9.-.b.e.3.c.-.e.8.9.1.1.c.5.a.8.e.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.1.9.e.5.b.7.-.8.e.4.5.-.4.5.9.3.-.9.a.4.3.-.5.6.8.4.6.3.6.2.9.7.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.5.4.-.0.0.0.1.-.0.0.1.c.-.8.c.a.f.-.4.0.e.e.6.f.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.b.a.2.a.1.1.1.c.e.d.d.5.b.f.5.2.3.2.2.4.b.3.f.1.c.f.e.5.8.e.e.c.7.c.2.f.d.c.
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER819B.tmp.dmp
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Fri Nov 26 02:49:06 2021, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):281542
                                                    Entropy (8bit):3.695343865128418
                                                    Encrypted:false
                                                    SSDEEP:3072:6fwWc+0pa0DuUCgUCVjd+pVyxoHuNGoomu9gIOgF5WFY76A:qJD0paSuTjrpVIoO4B59RpDAm
                                                    MD5:EC0DED637BEA0B9542F877FD855DBD00
                                                    SHA1:16F0A36F2043305A4070CB7B8BD7516317C25D00
                                                    SHA-256:239915962B2EDBB037BA0383BDF68CC477D5870DF2474DD47C7A51F27EEF29CC
                                                    SHA-512:894C3FB8B2C9B24C0B212703A25C52DF8A149D4DE34E399FB5F4E1AABF39A488086C7205F1AF8597A393944DA6F8A17A03068E269B899177711C7EA6303232BC
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: MDMP....... ......."K.a............D...........,...X.......$....#......T&...R..........`.......8...........T............8...............#...........%...................................................................U...........B......,&......GenuineIntelW...........T.......T....J.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER993B.tmp.WERInternalMetadata.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8342
                                                    Entropy (8bit):3.6875708666095264
                                                    Encrypted:false
                                                    SSDEEP:192:Rrl7r3GLNipTjN6vn6YbS69mUgmfZ7SQCprZ89b4wsf4Im:RrlsNipfN6f6Y+69NgmflSu4Dfu
                                                    MD5:2BE17A229E83FB783BCC938FFA8D167A
                                                    SHA1:B8EDF9AF3C5593F09708110BF1F7CFD4BEE1EB5E
                                                    SHA-256:E9E2578A901410941C5EE770855BBEAA19B7E898A7CDD73ED7881C91CA6AFAB9
                                                    SHA-512:18197F047A57325CAA039DA2FA9596347B723D77EF0D5091435C07B95D3684CBF515AA88984B550E4D89891485FEDFE077E366430A8DE0D12BF7DB27B5972842
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.7.2.<./.P.i.d.>.......
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D53.tmp.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4719
                                                    Entropy (8bit):4.443555954095162
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwSD8zsBJgtWI9bbWSC8BW8fm8M4JStjJ2FdL+q8vrtjJBP7Zd:uITfTIqSNxJLK1P7Zd
                                                    MD5:07FEB55CAB5BB0BE4C80D94B74914413
                                                    SHA1:E4FC06D252D2EE912D6790061D7D7466E6D9F6A4
                                                    SHA-256:65EFFEECEB743A92E62D4BD52978813579EC8ABEA8E853653F9121E63C0914E6
                                                    SHA-512:D0161DA2C76EB2965DFC32995DC9799848AA6861F7A3C63E9F4819C8383C98F965A879E60632574982C06DD97CD169C26382CDB0C9240C81C69AD45086E1766D
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270799" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank.exe.log
                                                    Process:C:\Users\user\Desktop\Halkbank.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1310
                                                    Entropy (8bit):5.345651901398759
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                    MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                    SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                    SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                    SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Windows\System32\drivers\etc\hosts
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):835
                                                    Entropy (8bit):4.694294591169137
                                                    Encrypted:false
                                                    SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                    MD5:6EB47C1CF858E25486E42440074917F2
                                                    SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                    SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                    SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1
                                                    C:\Windows\appcompat\Programs\Amcache.hve
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1572864
                                                    Entropy (8bit):4.275087234815477
                                                    Encrypted:false
                                                    SSDEEP:12288:gmB3EyobBNXUvI3iljSGbJ/EKkBdEZZw/gmEl/L5rr4VQ0DekhC1n:1B3EyobBNXUvI3CR
                                                    MD5:87287A03FA43FDDFB5B4A61F68CFBE43
                                                    SHA1:D873ADBEC4AE25378CE25667263DABC0D23BB985
                                                    SHA-256:28F8540784933C5D589851F7771A04BB8CCCF0A1F598C5963E38EEC23FDF13CE
                                                    SHA-512:08F68963DA0EA8624E288164EB18CA10E592F376C8E358CC6323F6DFA0B40C7E2B8F7DBCA4E36FABBD4801043B03C8DFB792EC22B416E7AC0BD076E2BD8D854E
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...)p...............................................................................................................................................................................................................................................................................................................................................>@.t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):24576
                                                    Entropy (8bit):4.033223004973161
                                                    Encrypted:false
                                                    SSDEEP:384:BHWw5Rftx1hPJ4XOsF8nm7kiPBqXRSeq5QMVyi6+/zl4Lk4JZd1DoXzK4Zy7qx:hWGRftx1BJ4XLF8m73BqXYeq5QMVyi6c
                                                    MD5:56239CA132CF0ABCE61F880652AE144E
                                                    SHA1:7FBFB8471D01D801408E207DB47F9C83CBF2DDDE
                                                    SHA-256:6A47BB76E5C14460CA96ED8A5C41B7EA4F32F1514E1840974102B5DC45BEFE55
                                                    SHA-512:F1913AAEA49A071A347DA26FBA3B0F2B67AF229D2AA87586E895A30404D7FADB60CFB978CD4561873117C6E2493DDB60A0CD32DE7D17772420B82954D9DE852C
                                                    Malicious:false
                                                    Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...)p...............................................................................................................................................................................................................................................................................................................................................8@.tHvLE.^......Y...........'I.'...4..N.S.........0................... ..hbin................p.\..,..........nk,..t.)p....... ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..t.)p....... ........................... .......Z.......................Root........lf......Root....nk ..t.)p....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.694981249167293
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:Halkbank.exe
                                                    File size:618496
                                                    MD5:4b230a305cc22a04446b397310070d56
                                                    SHA1:208524b096c579b89579febff0b40f752b4e7db4
                                                    SHA256:a22ca2c5d6086e8c6703deb2e345efc08627e7063c447d60babe6edb17503856
                                                    SHA512:c0dcfea90b46ef91463d6ff272e0febd9ee5615bad9f84993458bde3f9f7983fe025747b7a6e306b31884bc57f10040b965d4578900138721b519dcd37da4f95
                                                    SSDEEP:12288:xBzcmhiTUHxuWTFfjCT8VD3feOTfBw31/sWKkTrENa0SixBFmRq:xBomhiIoW7D251/sFkTrFRi1Wq
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..a..............0..d............... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4982ce
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x619EE920 [Thu Nov 25 01:38:40 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [ebp+0800000Eh], ch
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [3D3F170Ah], bh
                                                    or dl, byte ptr [edi]
                                                    aas
                                                    cmp eax, 003F170Ah
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [esi-51C21EB9h], ch
                                                    inc edi
                                                    loope 00007FDCA0C47C9Fh
                                                    scasb
                                                    inc edi
                                                    loope 00007FDCA0C47C9Fh
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    call far 9999h : 9A3E9999h
                                                    call far 0000h : 003E9999h
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9827c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x640.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x9632c0x96400False0.785222870736data7.70769358931IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x9a0000x6400x800False0.3408203125data3.53068847001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x9c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x9a0900x3b0data
                                                    RT_MANIFEST0x9a4500x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright LiquidFyre Games, LLC 2009
                                                    Assembly Version1.0.0.0
                                                    InternalNameSafeBSTRHand.exe
                                                    FileVersion1.0.0.0
                                                    CompanyNameLiquidFyre Games, LLC
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameMegaMan Level Editor
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionMegaMan Level Editor
                                                    OriginalFilenameSafeBSTRHand.exe

                                                    Network Behavior

                                                    No network behavior found

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: Halkbank.exe PID: 6272 Parent PID: 5992

                                                    General

                                                    Start time:18:47:17
                                                    Start date:25/11/2021
                                                    Path:C:\Users\user\Desktop\Halkbank.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Halkbank.exe"
                                                    Imagebase:0x9f0000
                                                    File size:618496 bytes
                                                    MD5 hash:4B230A305CC22A04446B397310070D56
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: RegSvcs.exe PID: 5972 Parent PID: 6272

                                                    General

                                                    Start time:18:47:19
                                                    Start date:25/11/2021
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Imagebase:0xab0000
                                                    File size:45152 bytes
                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:high

                                                    Analysis Process: WerFault.exe PID: 4232 Parent PID: 5972

                                                    General

                                                    Start time:18:48:58
                                                    Start date:25/11/2021
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476
                                                    Imagebase:0xe20000
                                                    File size:434592 bytes
                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >