Loading ...

Play interactive tourEdit tour

Windows Analysis Report PTA009483.exe

Overview

General Information

Sample Name:PTA009483.exe
Analysis ID:532659
MD5:c32dc27c35f471c71e237b07cffc263d
SHA1:b8518918c8aeaaaf989e6361907debff3da0d6f6
SHA256:ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PTA009483.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\PTA009483.exe" MD5: C32DC27C35F471C71E237B07CFFC263D)
    • RegSvcs.exe (PID: 4500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.PTA009483.exe.4121b08.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PTA009483.exe.4121b08.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 20 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\PTA009483.exe" , ParentImage: C:\Users\user\Desktop\PTA009483.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4500
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\PTA009483.exe" , ParentImage: C:\Users\user\Desktop\PTA009483.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4500

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PTA009483.exeVirustotal: Detection: 35%Perma Link
                      Source: PTA009483.exeMetadefender: Detection: 28%Perma Link
                      Source: PTA009483.exeReversingLabs: Detection: 67%
                      Source: 1.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: PTA009483.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PTA009483.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://OGxUTf.com
                      Source: WerFault.exe, 00000012.00000003.913838802.00000000048E9000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915756715.00000000048E7000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                      Source: RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: 1.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.csLarge array initialization: .cctor: array initializer size 11838
                      Source: PTA009483.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_00D351960_2_00D35196
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B64580_2_016B6458
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016BE4880_2_016BE488
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B67880_2_016B6788
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B7C210_2_016B7C21
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B67760_2_016B6776
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B67C20_2_016B67C2
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B6C610_2_016B6C61
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B4F770_2_016B4F77
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B4F880_2_016B4F88
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B7CD10_2_016B7CD1
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B7F580_2_016B7F58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C146E01_2_02C146E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C13D901_2_02C13D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C146D31_2_02C146D3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C146501_2_02C14650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02C1D3211_2_02C1D321
                      Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.674560826.0000000000D98000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
                      Source: PTA009483.exe, 00000000.00000002.677189654.0000000005F70000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
                      Source: PTA009483.exeBinary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
                      Source: PTA009483.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PTA009483.exeVirustotal: Detection: 35%
                      Source: PTA009483.exeMetadefender: Detection: 28%
                      Source: PTA009483.exeReversingLabs: Detection: 67%
                      Source: PTA009483.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PTA009483.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PTA009483.exe "C:\Users\user\Desktop\PTA009483.exe"
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PTA009483.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.logJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
                      Source: C:\Users\user\Desktop\PTA009483.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4500
                      Source: PTA009483.exeString found in binary or memory: ../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: ../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: images/stop.gifp
                      Source: PTA009483.exeString found in binary or memory: images/stop.gifp
                      Source: PTA009483.exeString found in binary or memory: Images/stop.gif
                      Source: PTA009483.exeString found in binary or memory: Images/stop.gif
                      Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PTA009483.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PTA009483.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
                      Source: C:\Users\user\Desktop\PTA009483.exeCode function: 0_2_016B445A pushfd ; retf 0_2_016B4461
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94597502339
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PTA009483.exe.3105380.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PTA009483.exe TID: 6548Thread sleep time: -40148s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exe TID: 4180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1171Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8685Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PTA009483.exeThread delayed: delay time: 40148Jump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Amcache.hve.18.drBinary or memory string: VMware
                      Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Amcache.hve.18.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.18.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000012.00000002.915837616.0000000004A00000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915745395.00000000048E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.me
                      Source: WerFault.exe, 00000012.00000002.915807830.00000000049C4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP7
                      Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Users\user\Desktop\PTA009483.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PTA009483.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR

                      Remote Access Functionality:

                      bar