Windows Analysis Report PTA009483.exe

Overview

General Information

Sample Name:	PTA009483.exe
Analysis ID:	532659
MD5:	c32dc27c35f471c71e237b07cffc263d
SHA1:	b8518918c8aeaaaf989e6361907debff3da0d6f6
SHA256:	ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.0.RegSvcs.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Multi AV Scanner detection for submitted file

Source: PTA009483.exe	Virustotal: Detection: 35%	Perma Link
Source: PTA009483.exe	Metadefender: Detection: 28%	Perma Link
Source: PTA009483.exe	ReversingLabs: Detection: 67%

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: PTA009483.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PTA009483.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr

Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://OGxUTf.com
Source: WerFault.exe, 00000012.00000003.913838802.00000000048E9000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915756715.00000000048E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 1.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838

Uses 32bit PE files

Source: PTA009483.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632

Detected potential crypto function

Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_00D35196	0_2_00D35196
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6458	0_2_016B6458
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016BE488	0_2_016BE488
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6788	0_2_016B6788
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7C21	0_2_016B7C21
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6776	0_2_016B6776
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B67C2	0_2_016B67C2
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6C61	0_2_016B6C61
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B4F77	0_2_016B4F77
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B4F88	0_2_016B4F88
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7CD1	0_2_016B7CD1
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7F58	0_2_016B7F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C146E0	1_2_02C146E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C13D90	1_2_02C13D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C146D3	1_2_02C146D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C14650	1_2_02C14650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C1D321	1_2_02C1D321

Sample file is different than original file name gathered from version info

Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.674560826.0000000000D98000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.677189654.0000000005F70000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
Source: PTA009483.exe	Binary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe

Source: PTA009483.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PTA009483.exe	Virustotal: Detection: 35%
Source: PTA009483.exe	Metadefender: Detection: 28%
Source: PTA009483.exe	ReversingLabs: Detection: 67%

Source: PTA009483.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PTA009483.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PTA009483.exe "C:\Users\user\Desktop\PTA009483.exe"
Source: C:\Users\user\Desktop\PTA009483.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
Source: C:\Users\user\Desktop\PTA009483.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PTA009483.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0

Source: C:\Users\user\Desktop\PTA009483.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4500

Source: PTA009483.exe	String found in binary or memory: ../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: ../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gif
Source: PTA009483.exe	String found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gifp
Source: PTA009483.exe	String found in binary or memory: images/stop.gifp
Source: PTA009483.exe	String found in binary or memory: Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: Images/stop.gif

Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PTA009483.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PTA009483.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PTA009483.exe

Code function: 0_2_016B445A pushfd ; retf

0_2_016B4461

Source: initial sample

Static PE information: section name: .text entropy: 7.94597502339

Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.PTA009483.exe.3105380.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PTA009483.exe TID: 6548	Thread sleep time: -40148s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe TID: 4180	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1171			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8685			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 40148	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000012.00000002.915837616.0000000004A00000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915745395.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000012.00000002.915807830.00000000049C4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP7
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PTA009483.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Users\user\Desktop\PTA009483.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.18.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: 1.0.RegSvcs.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Multi AV Scanner detection for submitted file

Source: PTA009483.exe	Virustotal: Detection: 35%	Perma Link
Source: PTA009483.exe	Metadefender: Detection: 28%	Perma Link
Source: PTA009483.exe	ReversingLabs: Detection: 67%

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: PTA009483.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PTA009483.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr

Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://OGxUTf.com
Source: WerFault.exe, 00000012.00000003.913838802.00000000048E9000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915756715.00000000048E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 1.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838

Uses 32bit PE files

Source: PTA009483.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632

Detected potential crypto function

Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_00D35196	0_2_00D35196
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6458	0_2_016B6458
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016BE488	0_2_016BE488
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6788	0_2_016B6788
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7C21	0_2_016B7C21
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6776	0_2_016B6776
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B67C2	0_2_016B67C2
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6C61	0_2_016B6C61
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B4F77	0_2_016B4F77
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B4F88	0_2_016B4F88
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7CD1	0_2_016B7CD1
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7F58	0_2_016B7F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C146E0	1_2_02C146E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C13D90	1_2_02C13D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C146D3	1_2_02C146D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C14650	1_2_02C14650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C1D321	1_2_02C1D321

Sample file is different than original file name gathered from version info

Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.674560826.0000000000D98000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.677189654.0000000005F70000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
Source: PTA009483.exe	Binary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe

Source: PTA009483.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PTA009483.exe	Virustotal: Detection: 35%
Source: PTA009483.exe	Metadefender: Detection: 28%
Source: PTA009483.exe	ReversingLabs: Detection: 67%

Source: PTA009483.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PTA009483.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PTA009483.exe "C:\Users\user\Desktop\PTA009483.exe"
Source: C:\Users\user\Desktop\PTA009483.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
Source: C:\Users\user\Desktop\PTA009483.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PTA009483.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0

Source: C:\Users\user\Desktop\PTA009483.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4500

Source: PTA009483.exe	String found in binary or memory: ../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: ../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gif
Source: PTA009483.exe	String found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gifp
Source: PTA009483.exe	String found in binary or memory: images/stop.gifp
Source: PTA009483.exe	String found in binary or memory: Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: Images/stop.gif

Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PTA009483.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PTA009483.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PTA009483.exe

Code function: 0_2_016B445A pushfd ; retf

0_2_016B4461

Source: initial sample

Static PE information: section name: .text entropy: 7.94597502339

Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.PTA009483.exe.3105380.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PTA009483.exe TID: 6548	Thread sleep time: -40148s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe TID: 4180	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1171			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8685			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 40148	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000012.00000002.915837616.0000000004A00000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915745395.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000012.00000002.915807830.00000000049C4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP7
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PTA009483.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Users\user\Desktop\PTA009483.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.18.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

ID:	532659
Product:	CloudBasic
Start time:	15:43:33
Start date:	02.12.2021
Sample:	PTA009483.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c32dc27c35f471c71e237b07cffc263d
SHA1:	b8518918c8aeaaaf989e6361907debff3da0d6f6
SHA256:	ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6e42c2ecbe67857e042102e8f977834d8ccb729_75d5926b_19ab143c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	FB494F6D1079583F303AF529BE398F91	638029880F622D4B0E86D8ECE6A6E66B1B803D2D	72758ECAB5A6A104CD0E1E7E29CD7442FB4701D242937737A88AEA0AF53EB94D
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Dec 2 14:46:17 2021, 0x1205a4 type	806778AF9FEAB438E19410FA9ECF111E	01E51CF951A8D1698386F8D49356CE1910231A8D	AA77F457EF152064E8A2A5DD37FD6012AB3FB6566B612BF63CE2BC7A9D03C06D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF972.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	DB89FB22CBA9105ACA2D6E686639A30C	2E7DB0A299FA47967FF181FAA00B59C3B7C118F0	A0BFCEFB0D618F1E4254B7C11395CE4F674CA495DDFFCD720DDC6FD9D7968348
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD5B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D271EBED8599A4BCE1624C5728FC8824	1F79B302FB7A3AEF0250A35A67484014559AD734	A5E6AAFCFEDE0F39F5E0FBD05ACA0AA98BA62F4D3FBAB1099C6B22C505AF98BA
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.log	ASCII text, with CRLF line terminators	5216C7BA51383BFD6FACE8756C452F56	9E34E791CF09C89CF2A8F0D57D48EC330AD29F93	502CE33AFDC9B4C6CCCB5069A7B700064608BEEA4138ED4DFA206F23D33D03B2
C:\Windows\System32\drivers\etc\hosts	ASCII text, with CRLF line terminators	6EB47C1CF858E25486E42440074917F2	6A63F93A95E1AE831C393A97158C526A4FA0FAAE	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	A67F7C4F5262D0C0C9151FC916238F7E	0064F99693ED6AC58CFB7EE1D24CDCAD4EF0ED8F	C40EAFD182A32169C0FE5915D0FD0182D3AD9E0E9238FA558C618165309A60D7
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	61EB23C0700A8DA675E5155FED8D22C7	600A225C457071F582679A0CDFB2CEB105619DA9	5152221606054249108050F3D3F71624C53D41F305315A44C809E8025CED91A8

Windows Analysis Report PTA009483.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map