Play interactive tour

Edit tour

Windows Analysis Report PTA009483.exe

Overview

General Information

Sample Name:	PTA009483.exe
Analysis ID:	532659
MD5:	c32dc27c35f471c71e237b07cffc263d
SHA1:	b8518918c8aeaaaf989e6361907debff3da0d6f6
SHA256:	ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

PTA009483.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\PTA009483.exe" MD5: C32DC27C35F471C71E237B07CFFC263D)

RegSvcs.exe (PID: 4500 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: PTA009483.exe PID: 6544	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PTA009483.exe PID: 6544	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 4500	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WerFault.exe PID: 6172	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author
1.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.4121b08.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.4121b08.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.40ec0e8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.40ec0e8.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.3105380.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.PTA009483.exe.4121b08.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.4121b08.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.40ec0e8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PTA009483.exe.40ec0e8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 20 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\PTA009483.exe" , ParentImage: C:\Users\user\Desktop\PTA009483.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4500

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\PTA009483.exe" , ParentImage: C:\Users\user\Desktop\PTA009483.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4500

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.0.RegSvcs.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Multi AV Scanner detection for submitted file

Show sources

Source: PTA009483.exe	Virustotal: Detection: 35%	Perma Link
Source: PTA009483.exe	Metadefender: Detection: 28%	Perma Link
Source: PTA009483.exe	ReversingLabs: Detection: 67%

Source: 1.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: PTA009483.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PTA009483.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr

Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://OGxUTf.com
Source: WerFault.exe, 00000012.00000003.913838802.00000000048E9000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915756715.00000000048E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 1.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 1.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838

Source: PTA009483.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632

Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_00D35196	0_2_00D35196
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6458	0_2_016B6458
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016BE488	0_2_016BE488
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6788	0_2_016B6788
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7C21	0_2_016B7C21
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6776	0_2_016B6776
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B67C2	0_2_016B67C2
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B6C61	0_2_016B6C61
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B4F77	0_2_016B4F77
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B4F88	0_2_016B4F88
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7CD1	0_2_016B7CD1
Source: C:\Users\user\Desktop\PTA009483.exe	Code function: 0_2_016B7F58	0_2_016B7F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C146E0	1_2_02C146E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C13D90	1_2_02C13D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C146D3	1_2_02C146D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C14650	1_2_02C14650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02C1D321	1_2_02C1D321

Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.674560826.0000000000D98000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs PTA009483.exe
Source: PTA009483.exe, 00000000.00000002.677189654.0000000005F70000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs PTA009483.exe
Source: PTA009483.exe	Binary or memory string: OriginalFilenameSecurityRunti.exe@ vs PTA009483.exe

Source: PTA009483.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PTA009483.exe	Virustotal: Detection: 35%
Source: PTA009483.exe	Metadefender: Detection: 28%
Source: PTA009483.exe	ReversingLabs: Detection: 67%

Source: PTA009483.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PTA009483.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PTA009483.exe "C:\Users\user\Desktop\PTA009483.exe"
Source: C:\Users\user\Desktop\PTA009483.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
Source: C:\Users\user\Desktop\PTA009483.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PTA009483.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0

Source: C:\Users\user\Desktop\PTA009483.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4500

Source: PTA009483.exe	String found in binary or memory: ../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: ../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gif
Source: PTA009483.exe	String found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: 7A7256%../Images/Play.gif'../Images/Pause.gif%../Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: images/stop.gifp
Source: PTA009483.exe	String found in binary or memory: images/stop.gifp
Source: PTA009483.exe	String found in binary or memory: Images/stop.gif
Source: PTA009483.exe	String found in binary or memory: Images/stop.gif

Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PTA009483.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PTA009483.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: onfiguration.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb\ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.889612648.0000000004A1B000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.890239443.0000000002BEF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb`B source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb; source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbG source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb/ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: System.pdbzz source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb{{ source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: (PYo0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb= source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: WinTypes.pdb2 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb3 source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: doC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbRegSvcs.exe$ source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: version.pdb1 source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: CustomMarshalers.pdbCA source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb# source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: powrprof.pdb% source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbqk source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb"" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbL source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000001.00000000.884060620.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917576390.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WEREBC5.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbI source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb0 source: WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.898446598.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUT-7H source: RegSvcs.exe, 00000001.00000002.922939579.000000000610F000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885678612.000000000610F000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.889729636.0000000002BF5000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.898247144.0000000004E71000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000001.00000002.922884633.00000000060C0000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.885638991.00000000060C0000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.898336350.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.897927358.0000000004FC1000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898473121.0000000004FC5000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898178732.0000000004FD7000.00000004.00000001.sdmp, WEREBC5.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898136902.0000000004FDB000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000012.00000003.898001378.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898151435.0000000004FD5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.898348528.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.898493776.0000000004FC8000.00000004.00000040.sdmp, WEREBC5.tmp.dmp.18.dr

Source: C:\Users\user\Desktop\PTA009483.exe

Code function: 0_2_016B445A pushfd ; retf

0_2_016B4461

Source: initial sample

Static PE information: section name: .text entropy: 7.94597502339

Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.PTA009483.exe.3105380.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PTA009483.exe, 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PTA009483.exe TID: 6548	Thread sleep time: -40148s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe TID: 4180	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1171			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8685			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 40148	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000012.00000002.915837616.0000000004A00000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.915745395.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000012.00000002.915807830.00000000049C4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP7
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: PTA009483.exe, 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000001.00000000.880199975.0000000001750000.00000002.00020000.sdmp, RegSvcs.exe, 00000001.00000000.884583764.0000000001750000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Users\user\Desktop\PTA009483.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PTA009483.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PTA009483.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Amcache.hve.18.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.4121b08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PTA009483.exe.40ec0e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PTA009483.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 6172, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping1	Security Software Discovery231	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	File and Directory Permissions Modification1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion141	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion141	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection12	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery114	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PTA009483.exe	35%	Virustotal		Browse
PTA009483.exe	29%	Metadefender		Browse
PTA009483.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.RegSvcs.exe.400000.5.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.RegSvcs.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
1.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://OGxUTf.com	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://OGxUTf.com	RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	RegSvcs.exe, 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://upx.sf.net	Amcache.hve.18.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
https://api.ipify.org%	RegSvcs.exe, 00000001.00000000.885051928.0000000002E51000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	PTA009483.exe, 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000012.00000003.895760202.0000000005390000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532659
Start date:	02.12.2021
Start time:	15:43:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PTA009483.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.3%) Quality average: 46.2% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 65 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 20.189.173.20 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:44:31	API Interceptor	2x Sleep call for process: PTA009483.exe modified
15:44:45	API Interceptor	655x Sleep call for process: RegSvcs.exe modified
15:46:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6e42c2ecbe67857e042102e8f977834d8ccb729_75d5926b_19ab143c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1283946255527386
Encrypted:	false
SSDEEP:	192:q1TGRdHBUZMXaaPXvJCM34/u7sxS274Itx:ES7BUZMXaapP34/u7sxX4Itx
MD5:	FB494F6D1079583F303AF529BE398F91
SHA1:	638029880F622D4B0E86D8ECE6A6E66B1B803D2D
SHA-256:	72758ECAB5A6A104CD0E1E7E29CD7442FB4701D242937737A88AEA0AF53EB94D
SHA-512:	020AF0CFC0C4FCA94B335DE25F99A497F2759701A60451C08436568F1C44AE16EFD86E9F0E1D3CA4063E6C8CBE6C83C0EEEF35D902DB915F50A61BE6900BF45B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.2.9.9.7.5.5.8.2.7.4.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.9.2.9.9.8.4.3.3.2.6.9.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.8.b.a.1.7.4.-.b.b.a.3.-.4.9.e.9.-.9.8.0.d.-.3.3.3.a.5.a.1.6.d.6.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.9.3.b.3.2.e.-.c.1.9.f.-.4.7.b.9.-.a.d.a.e.-.5.5.e.2.0.e.1.7.0.5.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.4.-.0.0.0.1.-.0.0.1.b.-.2.8.5.4.-.1.5.1.e.8.b.e.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.b.a.2.a.1.1.1.c.e.d.d.5.b.f.5.2.3.2.2.4.b.3.f.1.c.f.e.5.8.e.e.c.7.c.2.f.d.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBC5.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 2 14:46:17 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	282834
Entropy (8bit):	3.6930537398619316
Encrypted:	false
SSDEEP:	3072:L44yWeJHJFe/00ojd+px0giUCgUzajC9gIOgF5hqf+5yo02HM:LBtMHJN05px0Tj+C9RpDYfpv
MD5:	806778AF9FEAB438E19410FA9ECF111E
SHA1:	01E51CF951A8D1698386F8D49356CE1910231A8D
SHA-256:	AA77F457EF152064E8A2A5DD37FD6012AB3FB6566B612BF63CE2BC7A9D03C06D
SHA-512:	7585205B942FC69A934D0A8EA59D0D42C1578746F3FA9A3D2E0B5C2937EA5C9EF55AC341E4FAC57BC793526BE76F36F08E40F493DDDC54B37F723CC11ED2F769
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......9.a............D...........,...L.......t&...Q..........T.......8...........T...........h9..j...........x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T.............a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF972.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.689777288726644
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiljv6vUhGIe6YRQO6B0gmfZ7Sk+prz89blFsf/3m:RrlsNiZv6h6YCO6B0gmflSslefO
MD5:	DB89FB22CBA9105ACA2D6E686639A30C
SHA1:	2E7DB0A299FA47967FF181FAA00B59C3B7C118F0
SHA-256:	A0BFCEFB0D618F1E4254B7C11395CE4F674CA495DDFFCD720DDC6FD9D7968348
SHA-512:	7B2EEC75A2CAAAD5804CEB8AFF95523B23E239C00D62FD887BDBE27B2C7155C1461655ECB4F98F0106F501297B554E50879FFB06D2B18983FAD792AC2D497810
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD5B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4719
Entropy (8bit):	4.441488186622842
Encrypted:	false
SSDEEP:	48:cvIwSD8zsHrJgtWI9MyWSC8B78fm8M4JStjJ2Fb+q8vrtjJMP7id:uITfHFTTSNaJhKoP7id
MD5:	D271EBED8599A4BCE1624C5728FC8824
SHA1:	1F79B302FB7A3AEF0250A35A67484014559AD734
SHA-256:	A5E6AAFCFEDE0F39F5E0FBD05ACA0AA98BA62F4D3FBAB1099C6B22C505AF98BA
SHA-512:	D8F46A2B6F4E92F01FB912B3224FA702D73A5FDF8089F045F99855C26651070D28D171753885FAD4AD737E6F6424D92093183598560CC35DC1E2A529403FED3D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1280156" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PTA009483.exe.log Download File
Process:	C:\Users\user\Desktop\PTA009483.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1968
Entropy (8bit):	5.355630327889458
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHxvjHKs:iqXeqm00YqhQnouRqjntIxHeqzTwRrqs
MD5:	5216C7BA51383BFD6FACE8756C452F56
SHA1:	9E34E791CF09C89CF2A8F0D57D48EC330AD29F93
SHA-256:	502CE33AFDC9B4C6CCCB5069A7B700064608BEEA4138ED4DFA206F23D33D03B2
SHA-512:	C1906EAC187E69D5B85384CB62C57713F03D4020DE941D97385DC3F2CAFECBACFD8AEC14E40AB34207ACD0319C368927A0F39F57F3BD135286FC83B207FB4FE4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	835
Entropy (8bit):	4.694294591169137
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
MD5:	6EB47C1CF858E25486E42440074917F2
SHA1:	6A63F93A95E1AE831C393A97158C526A4FA0FAAE
SHA-256:	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
SHA-512:	08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.245463977313784
Encrypted:	false
SSDEEP:	12288:T+p0L1jLfxGMiGNyiO9KNTOtBhMyHL2OGcJgZW16rXR56azT:Sp0L1jLfxGBGNyw2B
MD5:	A67F7C4F5262D0C0C9151FC916238F7E
SHA1:	0064F99693ED6AC58CFB7EE1D24CDCAD4EF0ED8F
SHA-256:	C40EAFD182A32169C0FE5915D0FD0182D3AD9E0E9238FA558C618165309A60D7
SHA-512:	9825689C05975DF6412A4907FC5EC546486441176A897D3BF724A1FC3D7286DE1B2A960AD3EF90950AF99926649F34C029132D166B6DC1F12125BA973E1510CA
Malicious:	false
Reputation:	low
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.).Z................................................................................................................................................................................................................................................................................................................................................}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.4224845856930766
Encrypted:	false
SSDEEP:	384:ofU5K5cPv4YgnVVeeDzeH1NKZtj/T8GSw61FOc7oOw:sSKUg/eeDzeVNYtjIGSw6ac7L
MD5:	61EB23C0700A8DA675E5155FED8D22C7
SHA1:	600A225C457071F582679A0CDFB2CEB105619DA9
SHA-256:	5152221606054249108050F3D3F71624C53D41F305315A44C809E8025CED91A8
SHA-512:	35B2BDD866A908CA152D30E0008A2FBBCF263512921AB5A65D134D21814FC999AF39F1102C79044640438C1BE87AEF0B7BEA544395A4BD18576456BB527260D1
Malicious:	false
Reputation:	low
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.).Z................................................................................................................................................................................................................................................................................................................................................{...HvLE.N......G...........qq..~>1...Eu....................... ..hbin................p.\..,..........nk,..).Z.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..).Z........ ........................... .......Z.......................Root........lf......Root....nk ..).Z.................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.93539046167478
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PTA009483.exe
File size:	546816
MD5:	c32dc27c35f471c71e237b07cffc263d
SHA1:	b8518918c8aeaaaf989e6361907debff3da0d6f6
SHA256:	ae4bc61fdbd79efa881919084a9858bc02935ae6ed8644f246ff0f56d87d6e9f
SHA512:	d8f4dde39c62d66a9cfa05728efa151e0d2342bd2ff4b94a85a156a8bed0420459592a22b2409fe2f42557cc3e70c4b5356f14e50df41fe81eabf689e589d11b
SSDEEP:	12288:55pYcrq3cPeOQLqG+jW6XByT1AsZTSp3unxUJ3xs8+qUrH:DpYcrbbQLqG/+wxBZTbnCZG8+zrH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.a..............0..L..........:j... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x486a3a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A449D0 [Mon Nov 29 03:32:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
sbb dword ptr [eax], eax
add byte ptr [edx], ah
pop dword ptr [eax]
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x869e8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x64c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84a50	0x84c00	False	0.942916151718	data	7.94597502339	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x64c	0x800	False	0.3447265625	data	3.55508289256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x88090	0x3bc	data
RT_MANIFEST	0x8845c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Earthworks Garden Kare
Assembly Version	5.4.0.0
InternalName	SecurityRunti.exe
FileVersion	5.4.0.0
CompanyName	Earthworks Garden Kare
LegalTrademarks
Comments	Precision Instrument
ProductName	WpfClassProject
ProductVersion	5.4.0.0
FileDescription	WpfClassProject
OriginalFilename	SecurityRunti.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PTA009483.exe PID: 6544 Parent PID: 2340

General

Start time:	15:44:29
Start date:	02/12/2021
Path:	C:\Users\user\Desktop\PTA009483.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PTA009483.exe"
Imagebase:	0xd10000
File size:	546816 bytes
MD5 hash:	C32DC27C35F471C71E237B07CFFC263D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.675453288.00000000030D9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.675367652.00000000030A8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.675799503.0000000004091000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 4500 Parent PID: 6544

General

Start time:	15:44:32
Start date:	02/12/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xab0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.673328512.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.917262490.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.882714795.0000000002E58000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.922268138.0000000002E58000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.672572361.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.882474406.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.877668648.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.883876684.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.884947434.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.672990070.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.673620269.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.885072574.0000000002E58000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.922149031.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 6172 Parent PID: 4500

General

Start time:	15:46:13
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632
Imagebase:	0x920000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000003.896330972.0000000005140000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PTA009483.exe PID: 6544 Parent PID: 2340 PTA009483.exeCOMMON

Executed Functions

Function 016B6788, Relevance: 3.4, Strings: 2, Instructions: 928COMMON

Download Yara Rule

Strings

,Lm, xrefs: 016B7453
,Lm, xrefs: 016B7498

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID: ,Lm$,Lm
API String ID: 0-2565382310
Opcode ID: 1652ce38308bec52950fd950df63f9416eef2824655131c00840f41c9401f86c
Instruction ID: c329d7bec1b9bd02ad9f20f404e5ac2f45ee89d43a539527f8228b3b90dac51c
Opcode Fuzzy Hash: 1652ce38308bec52950fd950df63f9416eef2824655131c00840f41c9401f86c
Instruction Fuzzy Hash: F582AF31A1122A8FCB14CFB9D880AADBBF2FF88305F14C569E455EB355DB34A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016BE488, Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d221bd14e828e801914ae2ebc01b42d0adc14a67822d0b9ad5afa72ac67f150f
Instruction ID: 096e291e7329d20a12c64902ca8990c4d535e8f78a7b742882027352857c8311
Opcode Fuzzy Hash: d221bd14e828e801914ae2ebc01b42d0adc14a67822d0b9ad5afa72ac67f150f
Instruction Fuzzy Hash: 6352A035B00115DFDB18DF68C8C4AEDBBB6BF88310B158569E9069B365DB32EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B6776, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b9ec92e5a0629b0937488e82e5f45bbbb78a32caec726ee303928994a77beb
Instruction ID: 65d34fd1d6473b0684e5204c1cdcabdc71cc2fe7a8f951c4558bc8ba0932f8fb
Opcode Fuzzy Hash: 97b9ec92e5a0629b0937488e82e5f45bbbb78a32caec726ee303928994a77beb
Instruction Fuzzy Hash: BFD1C175E1062A8FDB14CFB9D9806EDBBF2BF88304F119529E405EB358DB30A8458B90

Uniqueness

Uniqueness Score: -1.00%

Function 016B67C2, Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15f5c211557e3f00f4d9cbcc3e60c9c55ced50fbf2da7a1c47c8adac309fe63
Instruction ID: d3586cb77be3793641345edf41ed56a1d260393e6b7ed4b96549021391f634d6
Opcode Fuzzy Hash: b15f5c211557e3f00f4d9cbcc3e60c9c55ced50fbf2da7a1c47c8adac309fe63
Instruction Fuzzy Hash: F3C1C335A1062A8FDB14CFB9D980AEDB7F2FF88304F119529E405EB358DB34A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B7C21, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d568b1ba9230bb41bd2948372b6860d9c94d07a4d8b0e01a41e2138d5afb78df
Instruction ID: 4589477381999df83b8c2d879d55f5011708b70d2884b3c1b183fba23d390b2d
Opcode Fuzzy Hash: d568b1ba9230bb41bd2948372b6860d9c94d07a4d8b0e01a41e2138d5afb78df
Instruction Fuzzy Hash: D3816D32F101258FD714DB69DC90AAEB7F3AFC8614F1A8565E405EB7A5DB349C41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 016B6458, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275deeffbf79aa48b633d5f8f7eaae7e1f40b684f9d228f1d4e6e94c47da363a
Instruction ID: c5a930e5b8267e5d42e9acd619147c88e69f22cce697c672a968c6b608d5e065
Opcode Fuzzy Hash: 275deeffbf79aa48b633d5f8f7eaae7e1f40b684f9d228f1d4e6e94c47da363a
Instruction Fuzzy Hash: 2D7109B8D4011E9FDF14CFA9D985AFEBBF1BB48310F10A619D406EB264DB319941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016BDE60, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

Xcm, xrefs: 016BDF18
Xcm, xrefs: 016BDF67
Xcm, xrefs: 016BDF26
Xcm, xrefs: 016BDF5B

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID: Xcm$Xcm$Xcm$Xcm
API String ID: 0-271206150
Opcode ID: 234b6f49c9c102d3974e7968de6691eabd014ce70398c098b57cca6bfd4c1e2f
Instruction ID: 5001c4ef028625b65692132317d312c66edcf1dccb171884efef7b4311e24560
Opcode Fuzzy Hash: 234b6f49c9c102d3974e7968de6691eabd014ce70398c098b57cca6bfd4c1e2f
Instruction Fuzzy Hash: 8F617031B00115DFDF14DFA8D894ADD7BBAAF88755F148469E902AB391CB31DC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016B6160, Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

$,m, xrefs: 016B6400

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID: $,m
API String ID: 0-3716349533
Opcode ID: 0ab6e2e3219666c7784b2ee5ec310d36d4eb87bad315aa85e8a52368971afacc
Instruction ID: d8029c2c37995446bd318cec7be293c187fbec121e13d1118cd0ddb918b1f887
Opcode Fuzzy Hash: 0ab6e2e3219666c7784b2ee5ec310d36d4eb87bad315aa85e8a52368971afacc
Instruction Fuzzy Hash: CA813331B005118FDB149BBCCC947AEBAE6AF89710F158079D509DB3A6DF34DC868791

Uniqueness

Uniqueness Score: -1.00%

Function 016B79F0, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

, xrefs: 016B7B02

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0c9cd991d533dbb365b0f93bd46c8e0a9ffef4b8ea3652c90fd07e91005b2820
Instruction ID: b4a8552edefe73ec5ecb6b2017c955b7562f51ba0df7f0184c874122f6b3ebb2
Opcode Fuzzy Hash: 0c9cd991d533dbb365b0f93bd46c8e0a9ffef4b8ea3652c90fd07e91005b2820
Instruction Fuzzy Hash: 1F416871F0011A8BCB10DF9ADC805EEFBB2FBC8215B59C62AD614D7785C734A9928BD1

Uniqueness

Uniqueness Score: -1.00%

Function 016B4380, Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

sp, xrefs: 016B43C3

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID: sp
API String ID: 0-958407816
Opcode ID: a7b203bd734cb4ae686442a01e2ce4445a908407e2657d6d6ac85616b90a623e
Instruction ID: 91e15078b05f5e925a2a7bce29e246100aace91a5f90c9b81dcb65596398793b
Opcode Fuzzy Hash: a7b203bd734cb4ae686442a01e2ce4445a908407e2657d6d6ac85616b90a623e
Instruction Fuzzy Hash: 7821CF347002068FCB05EB79C8595AFBBFAFF81214704482AD406DB7A5EF70AC088B91

Uniqueness

Uniqueness Score: -1.00%

Function 016B63E0, Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

$,m, xrefs: 016B6400

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID: $,m
API String ID: 0-3716349533
Opcode ID: d30711eb0cc038815105effd190f92ddd3b6cc48e7cd9b2155952bccd2ef7c91
Instruction ID: 7f5c8993612210d56841f0500297c53754c1e18fb74d170304462cfff3dd8aaf
Opcode Fuzzy Hash: d30711eb0cc038815105effd190f92ddd3b6cc48e7cd9b2155952bccd2ef7c91
Instruction Fuzzy Hash: 12F0EC317015209F47245E7ED89496A77EFAFCE9603544079E00DC7725DE25DC468396

Uniqueness

Uniqueness Score: -1.00%

Function 016B8AB0, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacfe0edee868f5bed0df0c89fae253b40cbaa7e361be90fab1c128d0321d27d
Instruction ID: 4f1ec69a0635e135319fcb91d02170049f71c8c79d9327c0e1629e2b96ea1a12
Opcode Fuzzy Hash: dacfe0edee868f5bed0df0c89fae253b40cbaa7e361be90fab1c128d0321d27d
Instruction Fuzzy Hash: 36515A72B052654FD7119BB98C907EEBFBAAFD6200F19806ED154DB382DB318C46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 016B0A24, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6e621d443471c3490247f37c667d2f0f84dc406264cc377dde7c77117baaa6
Instruction ID: 446da7d23dfb0057f19066a55e2124f7278575e3d9ae8efac2707235b186885f
Opcode Fuzzy Hash: cf6e621d443471c3490247f37c667d2f0f84dc406264cc377dde7c77117baaa6
Instruction Fuzzy Hash: 54516E31B102154FCB15EBB9DC845BEBBBAFFC42647158A2AE429D7391EF309C068791

Uniqueness

Uniqueness Score: -1.00%

Function 016B3C40, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28f60ca7ce159b58c2f339ef7a390016faeccc8129a604d37f3f73d2142d204
Instruction ID: d25044e929a4602b7ebd1aaedb7cf3e701e13b0a95e0d0e91c6b35570234c583
Opcode Fuzzy Hash: f28f60ca7ce159b58c2f339ef7a390016faeccc8129a604d37f3f73d2142d204
Instruction Fuzzy Hash: 3A517BB1A007599FDB11DFA9DC847EEBFF5FB88210F24446AE404A7340DB749989CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016B6447, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e92e00b6c8a040889681fa466f95cb69b3a1b774abd4fa0e3e3464e8eb5340b
Instruction ID: 0d86d8d2c42804994727840b015ff1f2580d698e4c30ef8a0754a04c6df1bbf9
Opcode Fuzzy Hash: 5e92e00b6c8a040889681fa466f95cb69b3a1b774abd4fa0e3e3464e8eb5340b
Instruction Fuzzy Hash: 535127B8E0021A9FDF14CFA9D984AEEB7B1BF88310F10A529D412FB354DB359951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 016B6089, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb586e6f9e13b2c3412a6facc915293036baa53b77ab3066b5c7e122f6178f03
Instruction ID: 1d109a49c10b35ecc33412a8b67f1aeda5c7e1c376b8890ac1f124063331d99d
Opcode Fuzzy Hash: fb586e6f9e13b2c3412a6facc915293036baa53b77ab3066b5c7e122f6178f03
Instruction Fuzzy Hash: D641C1317002009FDB04AB7CDC98AAE3BE6AF89615B15807AE40ADF3A3DF35EC458751

Uniqueness

Uniqueness Score: -1.00%

Function 016B0A50, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ef3acd1a103fb3db4b59a6f052c2ed4351312f2900d5f875d24afd4b985f82
Instruction ID: 77c2d2aa12acdd38d10e0c2313dedbeac13838b3ede37e525d6752291bd903c8
Opcode Fuzzy Hash: 61ef3acd1a103fb3db4b59a6f052c2ed4351312f2900d5f875d24afd4b985f82
Instruction Fuzzy Hash: 16418E35A006158FCB40EFB4D8549AE7BB2EF8921071584BDE809EB361EB399C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016B8CC0, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f583840ac669624513eefc3dee8b8a0cc8d0365b8bf81118a47dc4fd225d078d
Instruction ID: 8009ffa27fbf4db961615a434c7c9309cbd4c18c1534848ccd0d72dbc72a7740
Opcode Fuzzy Hash: f583840ac669624513eefc3dee8b8a0cc8d0365b8bf81118a47dc4fd225d078d
Instruction Fuzzy Hash: 8531A175A046698FCB01DFA8C9C08EEBFF5EF5920471984AAD059EB362D730EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B448E, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022d21c668f2bfdb10f475ec793990371de486a367d8ca908b48c0d46e3df5a3
Instruction ID: e974b3fef14239137f361263380e03d0e48c05576fe37fe082fcaad0d5e43495
Opcode Fuzzy Hash: 022d21c668f2bfdb10f475ec793990371de486a367d8ca908b48c0d46e3df5a3
Instruction Fuzzy Hash: 2E41E4B1D00609DBDB10CFD9C984ADEBBB5BF49304F64842AD409BB301DB756A8ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 016B4498, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc37a438d60643db7d14dfb8fe7eeb987ba6eb464ecf7e8b19bfeb49e8e99bf
Instruction ID: cf2b49e3e156c2b88e19ec426bd39c0f1572784727d9cdd4b97b7b99fcde8023
Opcode Fuzzy Hash: 7dc37a438d60643db7d14dfb8fe7eeb987ba6eb464ecf7e8b19bfeb49e8e99bf
Instruction Fuzzy Hash: FA41D3B1D00619DBDB10DFD9C984ADEBBB5BF48304F64842AD409BB301DB756A8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 016B0A40, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200f5fa78ab26d6044eb5bef05d0d97eca9a7c2e4f69677192213fd2660b3535
Instruction ID: 58a3ab7f73ecd26585e760e3c79b524df671a9087584a0364efa51b4019f3114
Opcode Fuzzy Hash: 200f5fa78ab26d6044eb5bef05d0d97eca9a7c2e4f69677192213fd2660b3535
Instruction Fuzzy Hash: 3331AF35A006158FCB40EFB4D844AAEBBF2EF89300B15857DE809EB361DB359D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B8CB2, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35025b3c045abc7434dcc7548ffb562ea1f3894f0822cbb1b3037fc62dbf9848
Instruction ID: 2b875ec3cc9ac43cc4107d1152884fe0cb0138ff9454e842e941e785d6566a9f
Opcode Fuzzy Hash: 35025b3c045abc7434dcc7548ffb562ea1f3894f0822cbb1b3037fc62dbf9848
Instruction Fuzzy Hash: AF316F75A0462A8FCB01DFA8C9C08EEFBF5FF582007198566D419AB352E730DD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 016B7B69, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83231c4874aeda4e971addcc0608414b4b3b1cb5821cda7cef91ea5bdb0b7e3d
Instruction ID: f30c2eb1a71c2af96bbf7c6be1d923897affe6bc7d6799f09662209320b46519
Opcode Fuzzy Hash: 83231c4874aeda4e971addcc0608414b4b3b1cb5821cda7cef91ea5bdb0b7e3d
Instruction Fuzzy Hash: A121B4723001108FD755DFB8D984AAA77F5DFC9A2031544EAE50ACB7B1DB20DC818B50

Uniqueness

Uniqueness Score: -1.00%

Function 016B3E1C, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4247c53bfb4b120255a7575a88c040167aef09279432a1ec6e27117666f8f7d5
Instruction ID: f6b06212d5a8f27cff2e0a85f7fcd3549f75b060a25fc1163ec58a980522bf98
Opcode Fuzzy Hash: 4247c53bfb4b120255a7575a88c040167aef09279432a1ec6e27117666f8f7d5
Instruction Fuzzy Hash: A431F2B1E002189FDB10CF99D984BDEBBF5BF48324F24846AE404BB350C7B5598ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 016B8BE8, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad9cbdccee2192530bb98f6d90ade9828d1390162936711a328d94acb9d821a
Instruction ID: 3f9df0c855d1cfd16c491aa2a7a957fe25403cfa99002b7b9d09388a03036b46
Opcode Fuzzy Hash: aad9cbdccee2192530bb98f6d90ade9828d1390162936711a328d94acb9d821a
Instruction Fuzzy Hash: E0218072E0021A9BDB50EFE58C81BEFBBBAEB98210F14413DD615B7284DB305845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0166D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674975715.000000000166D000.00000040.00000001.sdmp, Offset: 0166D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2be451a16c02cd940816bf7e07fbe3bd97adbec69c636fc2046ca88567c2058
Instruction ID: 80d00a910c9031aa7b0ebb1029e6ceec407ba9de6f58c5ef0b16adf6515bf82a
Opcode Fuzzy Hash: a2be451a16c02cd940816bf7e07fbe3bd97adbec69c636fc2046ca88567c2058
Instruction Fuzzy Hash: 95210475604340DFDB15CF94D8C4B26BB69FB88354F24CA69E88A4B346C737D847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 016BE288, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebcc24b40bea7fd0e8a6a365ad1c0cbac7021d9c5140284c9bcc1d0ac57ec92
Instruction ID: 94461ea440754ed83b26682159a71e980b4d29c196b0a738ab9dfdf334ab1c8e
Opcode Fuzzy Hash: aebcc24b40bea7fd0e8a6a365ad1c0cbac7021d9c5140284c9bcc1d0ac57ec92
Instruction Fuzzy Hash: 82216075A00206CFCB10DFA8C8C4AEEBBF6AF59210F154465E945DB361D731EC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016BD968, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dbf176c89d08375e5bf18e44fc7c3f4408d23eb87dd14110df3488c19aab4e
Instruction ID: 787ba32760e4cbb9cc516da034ccaaec4555997886a5fdeb25655f8797abb49d
Opcode Fuzzy Hash: a3dbf176c89d08375e5bf18e44fc7c3f4408d23eb87dd14110df3488c19aab4e
Instruction Fuzzy Hash: 6021A431A04104AFEB45ABB4DC45BFE7BBBEB84740F008466E506EF284DB355D818791

Uniqueness

Uniqueness Score: -1.00%

Function 016B3C18, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4693f49ae6623fe790abaecffe6be2785821aedba937b6cdc39f6435f77a8ba5
Instruction ID: 50233771f8b9a6c119dd4e135c8482671100d48baa960caf643e88982c4bb9ba
Opcode Fuzzy Hash: 4693f49ae6623fe790abaecffe6be2785821aedba937b6cdc39f6435f77a8ba5
Instruction Fuzzy Hash: B8319FB0D016189BDB20DF99D984BDEBFF4BB48714F64846AE404BB350C7B55889CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016B0A20, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7804e6575278e56e60964dcd9d6d3cce0aa14e2805c46c2df53de7d0290b27f
Instruction ID: 3a3805cf659b0625949cc451fed582a3553ea9d99d4c96ee2d1720d5536f1001
Opcode Fuzzy Hash: d7804e6575278e56e60964dcd9d6d3cce0aa14e2805c46c2df53de7d0290b27f
Instruction Fuzzy Hash: 07117376B0071A5B8B21EFBA9C845BFB7F7FBC46507154929D825D3340EF3099058750

Uniqueness

Uniqueness Score: -1.00%

Function 016B0F68, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387602894fdc3a59833da39fe69d1e00c42bf6529721bdefd74390ba1f4f2c62
Instruction ID: af70f827c7b27de169777c788443616060e447a88ac194a6e388afce0d007b40
Opcode Fuzzy Hash: 387602894fdc3a59833da39fe69d1e00c42bf6529721bdefd74390ba1f4f2c62
Instruction Fuzzy Hash: 3B119E35B002599B8B54EBB9A9502EFBBF6AF89314B100039D505EB340EF36CD56CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0166D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674975715.000000000166D000.00000040.00000001.sdmp, Offset: 0166D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e525c477965fb4d79166bf90197af073a82700dfe6ef74ca678e0232636def
Instruction ID: eba052c983b8c4303762874a6b1522431c9a4011272dd640ac8626f65349faae
Opcode Fuzzy Hash: 52e525c477965fb4d79166bf90197af073a82700dfe6ef74ca678e0232636def
Instruction Fuzzy Hash: 97118E75504280DFDB12CF54D9C4B15FB71FB84314F24C6AAD8494B756C33AD45ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 016B3C24, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edc8217908e58a6b1d2504e77495cf3b990986af89b9b2e1bce8af5ebbd6185
Instruction ID: 39fd5f0266f683f03458b481e2c9a96add13711cccd8b7117a1c7e5996c7c71a
Opcode Fuzzy Hash: 2edc8217908e58a6b1d2504e77495cf3b990986af89b9b2e1bce8af5ebbd6185
Instruction Fuzzy Hash: D11106B5900649DFCB10DF99D584BDEBBF8EB48324F24841AE959A7300C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 016B4960, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcdb8a6ca352c7f1d1067092486e924c48043059c29699289df50d966640a44
Instruction ID: 754c8977d9b791b5155f49f3da9abeb3a134f5101941b347843cc47487a69fc9
Opcode Fuzzy Hash: cfcdb8a6ca352c7f1d1067092486e924c48043059c29699289df50d966640a44
Instruction Fuzzy Hash: 1401D6327082986F8701EB69DC80CABBFFDEB8A26034580A7F458D7312C9309C05C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 016B4A78, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1beb74c29d04f3bc8d2582d7842cccf3ccfa075e85f1879b522e3680320099aa
Instruction ID: 3cbf34c86b8bbd161feca6ce314b4fea29e06768176fbcbd00a49412a1656835
Opcode Fuzzy Hash: 1beb74c29d04f3bc8d2582d7842cccf3ccfa075e85f1879b522e3680320099aa
Instruction Fuzzy Hash: 861103B5900609DFCB10CF99D584BDEBBF4EF48324F24842AD95AA7740C778A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016B66D0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23660bd331a09473e3fd8190e3ef0306856a3c1f7ffb317922c0f42e1f43a5b
Instruction ID: ecff3d6dac5d32d86aa6ae9b672dbea688a83f816e5320f8c3e587b8a27a4bc6
Opcode Fuzzy Hash: e23660bd331a09473e3fd8190e3ef0306856a3c1f7ffb317922c0f42e1f43a5b
Instruction Fuzzy Hash: 13015A70A003198FDB14DFA4C994BEEBAF5AB4C304F100439D506B7340EB795D85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016B48C4, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dfa52b530ac66047a968ad115496776d48f013929d59a9f9b25e225cd8c39b2
Instruction ID: b929ba9a694ae4430724a84e2dbf11c12685f3d9c30522529a697ee6875a6b02
Opcode Fuzzy Hash: 7dfa52b530ac66047a968ad115496776d48f013929d59a9f9b25e225cd8c39b2
Instruction Fuzzy Hash: 36011E71D01269DFEB15DFA9C8443ED7FF1AF05310F158625E416AB2A1D7748681CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B48D0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb6f5240ce3ddb409ed5a0e359eb160c80254a5a0d80bfef58810ade4ed0b8d
Instruction ID: b0084e3f0b4f848a4a44cb81b31108aaba0a37fea6b52e5101fc145291fc613f
Opcode Fuzzy Hash: edb6f5240ce3ddb409ed5a0e359eb160c80254a5a0d80bfef58810ade4ed0b8d
Instruction Fuzzy Hash: DD01FF70D01269DFEB24DF5AC8443EE7BF5BF45350F118625E425AA291D7744A80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016B4970, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f83cfc9cc4b4a279ff76edf3c3694f6eca69d51e0f92d359418a462100c3258
Instruction ID: b4e349b03c5dad3d7e77390391274fb383a70031dc9d982ef042cd206ce56dd0
Opcode Fuzzy Hash: 7f83cfc9cc4b4a279ff76edf3c3694f6eca69d51e0f92d359418a462100c3258
Instruction Fuzzy Hash: 08E039727041246F5304DBAAD884C6BBBEEEBCD6A4355813AF91CC7310DA309C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 016B593C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0e11fc0a2ae5334bfaa6bb46c97ca61fc050aba1c62d3018dcfcb5af502b54
Instruction ID: fef85b0f03f6108a71ab0d963598ca4c554c3e36ef9777f555ec6174b5ecc142
Opcode Fuzzy Hash: 2e0e11fc0a2ae5334bfaa6bb46c97ca61fc050aba1c62d3018dcfcb5af502b54
Instruction Fuzzy Hash: B2E065534093E10BD60237BC9CB27DB2F958E2302CB590DD7C0C58A553E909D4879315

Uniqueness

Uniqueness Score: -1.00%

Function 016B09D8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b982b5792188d4d397a32fdeaf85805169fb8e738e95853a8f316dba245e3b3
Instruction ID: 70b0776b78ac08887c16d03e8de30f75dcd9efff3a79443b98c26647e9ed2513
Opcode Fuzzy Hash: 5b982b5792188d4d397a32fdeaf85805169fb8e738e95853a8f316dba245e3b3
Instruction Fuzzy Hash: A1E0ED7300D3915EC70367E49C71BCB7F755F12114B1A4D93D4C5CA073D629C9999366

Uniqueness

Uniqueness Score: -1.00%

Function 016B3F28, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510b27ab398fbc161164658e54fcd78798058bf64cf35e04a713e455a695e623
Instruction ID: ebf5b0a6cd7b63b923bcf9564919ddb120c63ff78c89feca381f66c5afe789ce
Opcode Fuzzy Hash: 510b27ab398fbc161164658e54fcd78798058bf64cf35e04a713e455a695e623
Instruction Fuzzy Hash: 54E03970A0010DFBC740EEA0DD42AE97BAAEB54644B22446AE805A7710DA79AE14AB54

Uniqueness

Uniqueness Score: -1.00%

Function 016B0438, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecdaa6e208671b29cd3e3c82880ae828374b5b592a379855a7bbedf21dd175a
Instruction ID: 4a1a06f6aad37d76de7b8abcee395e402001b9dd3d22080869e00937839ca11c
Opcode Fuzzy Hash: eecdaa6e208671b29cd3e3c82880ae828374b5b592a379855a7bbedf21dd175a
Instruction Fuzzy Hash: 01E026107142541FCB076B3428201BEBF1A8FC6618B0440AEC906C7286CE79090183E1

Uniqueness

Uniqueness Score: -1.00%

Function 016B7979, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96b92667d93d132bf8e58a0bc9cc7d5e4e1146a48ca1c317e00b48787c6bb29
Instruction ID: 9edd6411562dff68449fc57ddccecde373849211c34b3e39ac5436d387a557a3
Opcode Fuzzy Hash: c96b92667d93d132bf8e58a0bc9cc7d5e4e1146a48ca1c317e00b48787c6bb29
Instruction Fuzzy Hash: 46E0DFB1A0628AEFC782DFB0EA502ACBBB1AF4610432009ABC488E7311DB350E449700

Uniqueness

Uniqueness Score: -1.00%

Function 016B482C, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f20adfacab47faae04d276b79d5a326b9bceaffb66e2e000d547f884963a15
Instruction ID: e729c28ed08b22a568f54a1021323877230194d94c0c02821e3b67356c4f37a6
Opcode Fuzzy Hash: d9f20adfacab47faae04d276b79d5a326b9bceaffb66e2e000d547f884963a15
Instruction Fuzzy Hash: ACE0C232C00138A78B00AAE49C054EFFB79EF04610B424111EA55B7200D3705A21CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 016BD520, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a469dfa032be5bb6eb517d89c796bbb27d09f098afcf7631a0ec737e80c32b5f
Instruction ID: 0c41b54614835f722e0117e16db6bc4dd4bce5e0530f7cdf1fda9672f4b1ce90
Opcode Fuzzy Hash: a469dfa032be5bb6eb517d89c796bbb27d09f098afcf7631a0ec737e80c32b5f
Instruction Fuzzy Hash: 9FD0A73278013467D14425AAA815BBB75CFDBE6661F18403FF50DCB781DDE08C0203E6

Uniqueness

Uniqueness Score: -1.00%

Function 016B0448, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd559f8ffe6e6f57811ab4054204820baa4e66307d321bc76a512b123b6c06eb
Instruction ID: d8cbd5ce663af244e79b4927836e3dfb2b7966ac2f053e6b58ed00e5f24677b4
Opcode Fuzzy Hash: fd559f8ffe6e6f57811ab4054204820baa4e66307d321bc76a512b123b6c06eb
Instruction Fuzzy Hash: 9AD0A721720128278B4A7B75682026FB14F9BC9A68B40842DCE0B87385CE798E0103E6

Uniqueness

Uniqueness Score: -1.00%

Function 016B3F38, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fccc2eea401950ec858aa32f9db502929560d68d41170aed3069185c962724
Instruction ID: cc7cf1ddaeb8cb8ac6c97638b308b2ab7df6849c0c09b911933e4b166f2ff401
Opcode Fuzzy Hash: 22fccc2eea401950ec858aa32f9db502929560d68d41170aed3069185c962724
Instruction Fuzzy Hash: CDE04F70A0020EEFC740EFA0D94199DBBB6FB45244722456AD809E7310DA796F109B51

Uniqueness

Uniqueness Score: -1.00%

Function 016B6058, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152a8f361f601da4f896a0bff94b077db422b341f165e144f015c635f0cae343
Instruction ID: f7ee8969724a4c5ac5af37663c32406cb668f62eacdd6d410b50f096c2293385
Opcode Fuzzy Hash: 152a8f361f601da4f896a0bff94b077db422b341f165e144f015c635f0cae343
Instruction Fuzzy Hash: 8CD05E3401424CBFCB01AB11EC098AA3FBAEF523517059063F888DA2B2CE71B918E761

Uniqueness

Uniqueness Score: -1.00%

Function 016B4838, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 0deba5c912133e2c78bc64ad51b8e03ae2d7cf578f07798f095561c527f3e156
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 46D09E72D00139978B10AFE99C054DFFF79EF05650B418126EA25A7101D7715A21DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 016B7988, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0479c88f3f1328883d1346d74c36fda18436b6f639d9ec7ea26eb7e05b308556
Instruction ID: cabb243b3395baae3870c2a13b1bdc643c5c73132fbc5f3b2b737ee80c72122f
Opcode Fuzzy Hash: 0479c88f3f1328883d1346d74c36fda18436b6f639d9ec7ea26eb7e05b308556
Instruction Fuzzy Hash: 79D01270A0124EEF8740DFA5E54155DB7B9EB4960472045A9D848E3210EB311E019740

Uniqueness

Uniqueness Score: -1.00%

Function 016B0F30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcb39ad9a4cc581e0b2f1c826f0d429de610f46a5900f5457472ac60ad55ccd
Instruction ID: c995f9927bf61cb2faf99107a2bc5b51ff27045c39fda0bf223cf34c2aa0c7a8
Opcode Fuzzy Hash: 6bcb39ad9a4cc581e0b2f1c826f0d429de610f46a5900f5457472ac60ad55ccd
Instruction Fuzzy Hash: A4C02B3F2100002BD3013700DC00FC13DEFF7D0228F1CC140A408EA130C829E066AB24

Uniqueness

Uniqueness Score: -1.00%

Function 016B7B50, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6829545a3becbfb72854218c45bc34ab7d7e148d325f4c8243783efdf55d2a
Instruction ID: f7a28a607f46a0e05ad74f8141d32c9362b716885de041d45dbf3124f63c668e
Opcode Fuzzy Hash: bc6829545a3becbfb72854218c45bc34ab7d7e148d325f4c8243783efdf55d2a
Instruction Fuzzy Hash: 70B0923126420C0AEA509AF97886B66778C8B84A28F5410A2B60CC1F41EA46E4902644

Uniqueness

Uniqueness Score: -1.00%

Function 016B6068, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f3d651353cd6dd3783aede19582208601e472515d3e58e0b94b67d8b120e7b
Instruction ID: 162daf73d7f5a23d7bfbe873288a7bf497b55bfa3f249dab293d86db6393590b
Opcode Fuzzy Hash: 66f3d651353cd6dd3783aede19582208601e472515d3e58e0b94b67d8b120e7b
Instruction Fuzzy Hash: BCC04C3512010CABCB04AF56E80A8697FBBFF94261710D122F849562B1DF71B914AA90

Uniqueness

Uniqueness Score: -1.00%

Function 016B79C1, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51d47bf1499777ac611c1f7cf7028e45edde9697b8b13500185cf5323ffa644
Instruction ID: 72091632becaaaccc38d98a72ffae213f152596946166189e26f3fe8236ef1cb
Opcode Fuzzy Hash: c51d47bf1499777ac611c1f7cf7028e45edde9697b8b13500185cf5323ffa644
Instruction Fuzzy Hash: E1C04C6554D7C06FEB1347708C59B157F715F17705F1B10CBE182DA2D2A654145CC723

Uniqueness

Uniqueness Score: -1.00%

Function 016B5912, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20b43405dfa2b9e9d75455ea79dd693a1458f0366d23a652d43beb5cd194c71
Instruction ID: c1ecbf355cae4d4c44d24bb3910774c67214115ab39b761858f667a39c5e3706
Opcode Fuzzy Hash: e20b43405dfa2b9e9d75455ea79dd693a1458f0366d23a652d43beb5cd194c71
Instruction Fuzzy Hash: F5B0122100252897DB50AF10C89B7D17FFCF305725FC08CB0CC0509D43822CE20BC106

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 016B7F58, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

, xrefs: 016B806E

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2f00e1997d7b66dfb8f26a73d18e815747ad8a6e36786acf1e941420b956331a
Instruction ID: b701859f05779ebd034da32cebff25956e3768a91d75855e3603ba24f1bcb0a4
Opcode Fuzzy Hash: 2f00e1997d7b66dfb8f26a73d18e815747ad8a6e36786acf1e941420b956331a
Instruction Fuzzy Hash: 6651CD31B001198FCB14DFADDC845AEBBB6FBC8215B18857AE509CB355DB30EC918B80

Uniqueness

Uniqueness Score: -1.00%

Function 016B4F77, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae48d31d4413c59b02a5d8b92726f9c851f9c9b33fc94ad7abd577b9e4aaa010
Instruction ID: bb251d6e1bc69c6b0a53443ef095b4b84aa0c4c157c44b20c612bfc4aef83f9b
Opcode Fuzzy Hash: ae48d31d4413c59b02a5d8b92726f9c851f9c9b33fc94ad7abd577b9e4aaa010
Instruction Fuzzy Hash: 43D1EB31D2175B8ACB00EFB5D9506E9B371FFA5200F609B9AD4497B220EF746EC98B50

Uniqueness

Uniqueness Score: -1.00%

Function 016B4F88, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6a74e6edcf798b245ba5221aaf2c852cf3f93ba661aab005ad00fcffe679f2
Instruction ID: f8bf1c55ad7a027cdaf675a467a0ca208ca10213b1982a8bb7745e06ae9b7914
Opcode Fuzzy Hash: cc6a74e6edcf798b245ba5221aaf2c852cf3f93ba661aab005ad00fcffe679f2
Instruction Fuzzy Hash: 9FD1EA31D2175B8ACB00EFB5D9506A9B371FFA5200F609B9AD4497B220EF746EC9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 016B7CD1, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbf9a33d3b4a93614d54fbfca137661143a64ce47a27c9ffd20a60550220174
Instruction ID: 51bc0d8215929b01ad672a3c5d49bdacc3c6f83c86ab8e05653c6305a109cb88
Opcode Fuzzy Hash: 9bbf9a33d3b4a93614d54fbfca137661143a64ce47a27c9ffd20a60550220174
Instruction Fuzzy Hash: DE613D32F105258FD714DB69CC90BAEB3E3AFC8614F5A8564E409AB7A5DF34AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016B6C61, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675066265.00000000016B0000.00000040.00000001.sdmp, Offset: 016B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44039433d5a46813eaddcb766288df5ed9779e2f9949871daae6c816f8ec0429
Instruction ID: d110367a00043393285425dc8500a151ee350afcbaa2bea6165ee1401f6d0085
Opcode Fuzzy Hash: 44039433d5a46813eaddcb766288df5ed9779e2f9949871daae6c816f8ec0429
Instruction Fuzzy Hash: ED412479E5510E9FDF14CFA9E8819EDF7F2BF48304B01A21AE016EB294DB31A845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00D35196, Relevance: .0, Instructions: 49
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00D35196() {
				signed int _t12;
				signed int _t13;
				void* _t14;
				intOrPtr* _t15;
				signed int* _t18;
				signed int _t19;
				signed int _t22;
				void* _t23;
				void* _t28;
				signed int _t30;
				signed int _t31;

				_t15 = _t14 + _t14;
				 *_t12 =  *_t12 + _t12;
				_push( *_t15);
				asm("o16 add bh, bh");
				asm("cdq");
				asm("int3");
				_t18 = _t15 + _t15 + _t15 + _t15 + _t15 + _t15 + _t15 + _t15;
				_push( *_t18);
				 *_t12 =  *_t12 + _t12;
				_t13 = _t12 ^  *_t12;
				_t31 = _t30 ^  *_t18;
				 *((intOrPtr*)(_t31 + 0x33)) =  *((intOrPtr*)(_t31 + 0x33)) + _t13;
				 *((intOrPtr*)(_t23 + 0x33cc0033)) =  *((intOrPtr*)(_t23 + 0x33cc0033)) + _t18;
				_t19 = _t18 + _t18;
				 *_t19 =  *_t19 + _t28;
				asm("cdq");
				asm("int3");
				_push( *_t19);
				asm("o16 add [ebx], dh");
				_t22 = _t19 ^  *(_t23 + 0x33993300) ^  *(_t23 - 0x6666cc9a) ^  *(_t23 - 0x66cc34);
				 *_t22 =  *_t22 + _t28;
				asm("int3");
				asm("int3");
				asm("cdq");
				asm("int3");
				_push( *_t22);
				 *_t13 =  *_t13 + 1;
				goto ( *((intOrPtr*)((_t31 ^  *_t19 ^  *_t19 ^  *_t19 ^  *_t19 ^  *_t19 ^  *_t19 ^  *_t19 ^  *_t22 ^  *_t22) + 0x33)));
			}

0x00d35196
0x00d35198
0x00d3519a
0x00d3519e
0x00d351a1
0x00d351a4
0x00d351a5
0x00d351a7
0x00d351a9
0x00d351ab
0x00d351ad
0x00d351af
0x00d351b2
0x00d351b8
0x00d351bc
0x00d351c5
0x00d351c8
0x00d351cb
0x00d351cd
0x00d351ea
0x00d351f2
0x00d351f4
0x00d351f7
0x00d351fb
0x00d351fe
0x00d35201
0x00d35203
0x00d35209

Memory Dump Source

Source File: 00000000.00000002.674460232.0000000000D12000.00000002.00020000.sdmp, Offset: 00D10000, based on PE: true

Associated: 00000000.00000002.674454685.0000000000D10000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674560826.0000000000D98000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ac1ec85578a72c8350fe572c325ba7a575b3618c273e7d28a6fb2112091dbf
Instruction ID: 50b3517389c25bcc8bcd2e760a7a79ce88d516a4082a590b2d9fed5a22837dc0
Opcode Fuzzy Hash: 64ac1ec85578a72c8350fe572c325ba7a575b3618c273e7d28a6fb2112091dbf
Instruction Fuzzy Hash: 7311C9325081A0DFCF168BB4D9E9652BBB1AF1F34074604CADD422F45AD6253C25EB63

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 4500 Parent PID: 6544 RegSvcs.exeCOMMON

Executed Functions

Function 02C16950, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C169E0
GetCurrentThread.KERNEL32 ref: 02C16A1D
GetCurrentProcess.KERNEL32 ref: 02C16A5A
GetCurrentThreadId.KERNEL32 ref: 02C16AB3

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 634dfeda8d3ca733b9334a1ea44ebc2a7ebe7a9f3946acc32c221d920a7b4148
Instruction ID: 06e70c1a71e1b5993fafdf99084c064111fcb0aed15c8c7ae11af045391929f8
Opcode Fuzzy Hash: 634dfeda8d3ca733b9334a1ea44ebc2a7ebe7a9f3946acc32c221d920a7b4148
Instruction Fuzzy Hash: BB5178B1900645CFDB00CFA9D5497DEBFF4EF89318F24886AE049A7390D7749945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C16980, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C169E0
GetCurrentThread.KERNEL32 ref: 02C16A1D
GetCurrentProcess.KERNEL32 ref: 02C16A5A
GetCurrentThreadId.KERNEL32 ref: 02C16AB3

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 38077741973ae165f7f345f443667e976bf86f3135f8a007c077b1d7d03cc40d
Instruction ID: 1f33cdc7541268c426073b6aa6d44e36cacc7b620e05c71cd144b3f66255799c
Opcode Fuzzy Hash: 38077741973ae165f7f345f443667e976bf86f3135f8a007c077b1d7d03cc40d
Instruction Fuzzy Hash: 1F5156B0900649DFDB00CFA9D549BDEBBF4AF89314F208469E009A7390CB745984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C1504F, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C151E2

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cf677fad61b78d35b1133aaffce29c88aab00bc69fd5c195f888a5466e5d5472
Instruction ID: c4e5e2b12c8f7c718cd400fc5e9ac0c8d70060bf0f7f3bfa07d10242c626b570
Opcode Fuzzy Hash: cf677fad61b78d35b1133aaffce29c88aab00bc69fd5c195f888a5466e5d5472
Instruction Fuzzy Hash: 626115B1D042899FCF02CFA5C844ACDBFB1BF8A314F2881AAE404AB261D7759945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02C150D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C151E2

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8f2d5180fa329a2b5f73f2fde620f3a5a0e1903d144ccdc4937302fad2e7c3d5
Instruction ID: c37dbc811d7249cc4cc8b331c46fd8665bc1cad0cdebf8774da63b1345ae969f
Opcode Fuzzy Hash: 8f2d5180fa329a2b5f73f2fde620f3a5a0e1903d144ccdc4937302fad2e7c3d5
Instruction Fuzzy Hash: E541C0B1D00349DFDF14CF9AC884ADEBBB5BF89354F64812AE819AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02C177CC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02C17F41

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 80ae61f7818b6fab8be5d3fd5fac31220a9d0f7c7d782abf6caf7c47e00945cb
Instruction ID: e12030e180a15fde60afdd64f8dc73381205d6b207b8be897af6eb27e986559b
Opcode Fuzzy Hash: 80ae61f7818b6fab8be5d3fd5fac31220a9d0f7c7d782abf6caf7c47e00945cb
Instruction Fuzzy Hash: 6C4149B5A002059FCB10CF99C489BABFBF5FF89314F248499E519AB320D775A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C16BA3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C16C2F

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3f8558e33b84c8cea0d7e3a1b577da181e09ec878cb0243e014b2a0faf1d3ed2
Instruction ID: 643c6fd8d20081b5b242b1f4fe03423e332738262d896c887cbbff7fc900e3c4
Opcode Fuzzy Hash: 3f8558e33b84c8cea0d7e3a1b577da181e09ec878cb0243e014b2a0faf1d3ed2
Instruction Fuzzy Hash: 7121E5B5900209AFDB10CF99D584BDEBBF8EF48324F14841AE914A7310D374A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C16BA8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C16C2F

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b725e171fba4502e4fc62739de54f4dc4c36d624adbbf8b922900dfd9aa2df20
Instruction ID: ad1b0bc8a38ec46045a283d7d7a2b68c6f6f463400b5d5af4b56d78da3dbdbdd
Opcode Fuzzy Hash: b725e171fba4502e4fc62739de54f4dc4c36d624adbbf8b922900dfd9aa2df20
Instruction Fuzzy Hash: E921E6B59002099FDB10CF99D584ADEBBF8FF48324F14841AE914A7310D374A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BEA9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02C1BF32

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 1f809ce213acfeb524519f87ddd491a9652d729582b3629940e237eb7d317c22
Instruction ID: de7e0918942cd535e7f7e5fa0ba6ff58ea3485f24e215c5bb156b11314f1efb6
Opcode Fuzzy Hash: 1f809ce213acfeb524519f87ddd491a9652d729582b3629940e237eb7d317c22
Instruction Fuzzy Hash: 2F219AB59003458FDB20CFA9D58979EBFF4FB49318F24886AE444A3681C7796944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C1BEB8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02C1BF32

Memory Dump Source

Source File: 00000001.00000002.921560590.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b4ecf1d8da92ff3b99d150472cf75112fce108a10b3072a3d519deeb60ccdef2
Instruction ID: 087143cb8d22fb042aa4deafcea416f0cb8d9d03cac827837b19d3feebaf8363
Opcode Fuzzy Hash: b4ecf1d8da92ff3b99d150472cf75112fce108a10b3072a3d519deeb60ccdef2
Instruction Fuzzy Hash: AB11ACB59003098FDB20CFAAD5497DEBBF8FB49318F208429E444B3680C7796944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PTA009483.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior