Loading ...

Play interactive tourEdit tour

Analysis Report shipping order.exe

Overview

General Information

Sample Name:shipping order.exe
Analysis ID:337538
MD5:b87925c7eb04ed03b7d1b9a5a39358d8
SHA1:cff199d7a3b2ecb1d5a6c2ba48de92901789cfda
SHA256:8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
Tags:EnduranceexeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Powershell adding suspicious path to exclusion list
Yara detected Nanocore RAT
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • shipping order.exe (PID: 5316 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
    • powershell.exe (PID: 1000 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 768 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4724 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4600 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6292 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6464 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 6728 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6820 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • cmd.exe (PID: 1688 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6460 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • shipping order.exe (PID: 5732 cmdline: C:\Users\user\Desktop\shipping order.exe MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
    • WerFault.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • shipping order.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
    • powershell.exe (PID: 5128 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • shipping order.exe (PID: 1624 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
  • shipping order.exe (PID: 5860 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
  • shipping order.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
  • shipping order.exe (PID: 6436 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' MD5: B87925C7EB04ED03B7D1B9A5A39358D8)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["311.10.11.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x102dd:$x1: NanoCore.ClientPluginHost
    • 0x430fd:$x1: NanoCore.ClientPluginHost
    • 0x75d1d:$x1: NanoCore.ClientPluginHost
    • 0x1031a:$x2: IClientNetworkHost
    • 0x4313a:$x2: IClientNetworkHost
    • 0x75d5a:$x2: IClientNetworkHost
    • 0x13e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x46c6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x7988d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      30.2.shipping order.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      30.2.shipping order.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      30.2.shipping order.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        30.2.shipping order.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\shipping order.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Powershell adding suspicious path to exclusion listShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\shipping order.exe' , ParentImage: C:\Users\user\Desktop\shipping order.exe, ParentProcessId: 5316, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force, ProcessId: 1000

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: shipping order.exe.5732.30.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["311.10.11.15"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 30%
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exeReversingLabs: Detection: 30%
        Multi AV Scanner detection for submitted fileShow sources
        Source: shipping order.exeVirustotal: Detection: 34%Perma Link
        Source: shipping order.exeReversingLabs: Detection: 30%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY
        Source: Yara matchFile source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: shipping order.exeJoe Sandbox ML: detected
        Source: shipping order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49710 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49730 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49733 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49736 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49741 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49759 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49765 version: TLS 1.0
        Source: shipping order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.349471169.0000000005237000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order.PDB8 source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbezi source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbe source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: shipping order.PDB" source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp
        Source: Binary string: System.Xml.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp, shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: oft.VisualBasic.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp, shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: version.pdbi source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb= source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: System.Windows.Forms.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe{ source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp, shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
        Source: Binary string: System.Core.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: w.pdb source: shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbk source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
        Source: Binary string: System.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb3 source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: ic.pdbW source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: shipping order.exe, 0000001B.00000002.598463851.00000000013F4000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: cryptbase.pdb{ source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.Management.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdboto source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb6e8 source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbel source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
        Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: shipping order.PDB source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 311.10.11.15
        Connects to a pastebin service (likely for C&C)Show sources
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: unknownDNS query: name: pastebin.com
        Source: global trafficTCP traffic: 192.168.2.5:49731 -> 194.5.97.173:10004
        Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
        Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
        Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
        Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49710 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49730 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49733 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49736 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49741 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.5:49759 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49765 version: TLS 1.0
        Source: unknownDNS traffic detected: queries for: pastebin.com
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: powershell.exe, 00000005.00000002.593882725.00000000037A6000.00000004.00000020.sdmp, powershell.exe, 00000006.00000003.527145991.00000000032F2000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.624981836.0000000003693000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com
        Source: powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png$6
        Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngt
        Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.605732034.000000000531E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: shipping order.exe, 00000000.00000002.611055849.0000000002EB1000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.601882305.0000000004751000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.600388750.0000000004821000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.600934151.00000000051E1000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.597635539.0000000004C21000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.484012193.00000000030D1000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.605222974.0000000002FE1000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.607170263.0000000002D41000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.604939441.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.605732034.000000000531E000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$6
        Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlt
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000006.00000002.603137277.0000000004D5E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000003.00000002.606076102.000000000495E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester$6
        Source: powershell.exe, 00000001.00000002.605929285.000000000488D000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pestert
        Source: powershell.exe, 00000001.00000003.505791219.0000000005105000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.531194458.0000000005B92000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000006.00000002.631313562.0000000005C84000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: shipping order.exe, 00000000.00000002.629479307.0000000003550000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.532866722.000000000371A000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.623796584.000000000362A000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
        Source: shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/W63zsRav
        Source: shipping order.exe, 00000000.00000002.629479307.0000000003550000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.532866722.000000000371A000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.623796584.000000000362A000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.624812497.000000000338A000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com4
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 00000000.00000002.630060439.0000000003583000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535947107.000000000379F000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.536440471.00000000037A3000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.625432894.00000000036AF000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.625572593.00000000036B3000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625898759.0000000003413000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
        Source: shipping order.exe, 00000000.00000002.629763939.0000000003563000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.535270665.0000000003783000.00000004.00000001.sdmp, shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.625714191.00000000033F3000.00000004.00000001.sdmp, shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
        Source: shipping order.exe, 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORY
        Source: Yara matchFile source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: shipping order.exe
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_014100400_2_01410040
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0141F0B80_2_0141F0B8
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0141F9880_2_0141F988
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_01410E900_2_01410E90
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0141ED700_2_0141ED70
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0155A2000_2_0155A200
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0155EDB80_2_0155EDB8
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0155F4680_2_0155F468
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 0_2_0155A1EF0_2_0155A1EF
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005DE0681_2_005DE068
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005DE0681_2_005DE068
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005DBD381_2_005DBD38
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005D4D281_2_005D4D28
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005EF3901_2_005EF390
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005E95401_2_005E9540
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005E67281_2_005E6728
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005EB9381_2_005EB938
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005EDA201_2_005EDA20
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005EBEC01_2_005EBEC0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005E81901_2_005E8190
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005E67181_2_005E6718
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005EB9381_2_005EB938
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_005E9D701_2_005E9D70
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_008358881_2_00835888
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0083BAD81_2_0083BAD8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_008374D81_2_008374D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_008300401_2_00830040
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0083BAD81_2_0083BAD8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0083BAD81_2_0083BAD8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_008358881_2_00835888
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00E4AF893_2_00E4AF89
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00E475E23_2_00E475E2
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00E475F03_2_00E475F0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00E4AFE83_2_00E4AFE8
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_016E004014_2_016E0040
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_016EF0B814_2_016EF0B8
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_016EF98814_2_016EF988
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_016E0E9014_2_016E0E90
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_016EED7014_2_016EED70
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_02F8A20014_2_02F8A200
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_02F8F46814_2_02F8F468
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_02F8EDB814_2_02F8EDB8
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 14_2_02F8A1EF14_2_02F8A1EF
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 27_2_016DF0B827_2_016DF0B8
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 27_2_016DF98827_2_016DF988
        Source: C:\Users\user\Desktop\shipping order.exeCode function: 27_2_016DED7027_2_016DED70
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616
        Source: shipping order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: shipping order.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: shipping order.exe, 00000000.00000002.610663705.0000000002E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs shipping order.exe
        Source: shipping order.exe, 00000000.00000002.602732861.0000000001420000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs shipping order.exe
        Source: shipping order.exe, 0000000E.00000002.607053455.0000000004B5F000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs shipping order.exe
        Source: shipping order.exe, 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebfba bbe.exe2 vs shipping order.exe
        Source: shipping order.exe, 0000000E.00000002.625130953.0000000005650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs shipping order.exe
        Source: shipping order.exe, 0000001B.00000002.598067590.00000000013CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shipping order.exe
        Source: shipping order.exe, 0000001B.00000002.603560292.00000000016E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs shipping order.exe
        Source: shipping order.exe, 0000001D.00000002.602169283.00000000012B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs shipping order.exe
        Source: shipping order.exe, 0000001E.00000002.606733051.00000000032E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs shipping order.exe
        Source: shipping order.exe, 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs shipping order.exe
        Source: shipping order.exe, 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs shipping order.exe
        Source: shipping order.exe, 00000022.00000002.599858334.0000000001480000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs shipping order.exe
        Source: shipping order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001E.00000002.551692234.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.610896379.0000000004C82000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001E.00000002.622773762.00000000042E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: shipping order.exe PID: 5732, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 30.2.shipping order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb=
        Source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb6e8
        Source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
        Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@55/23@26/5
        Source: C:\Users\user\Desktop\shipping order.exeFile created: C:\Program Files (x86)\DHCP Monitor
        Source: C:\Users\user\Desktop\shipping order.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
        Source: C:\Users\user\Desktop\shipping order.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{db5d3893-53a7-40c5-9e07-c472ba23289f}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316
        Source: C:\Users\user\Desktop\shipping order.exeFile created: C:\Users\user\AppData\Local\Temp\028a5345-3ada-4536-b4b8-e5892a029a73Jump to behavior
        Source: shipping order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Windows\System32\drivers\etc\hosts
        Source: shipping order.exeVirustotal: Detection: 34%
        Source: shipping order.exeReversingLabs: Detection: 30%
        Source: C:\Users\user\Desktop\shipping order.exeFile read: C:\Users\user\Desktop\shipping order.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order.exe C:\Users\user\Desktop\shipping order.exe
        Source: unknownProcess created: C:\Users\user\Desktop\shipping order.exe 'C:\Users\user\Desktop\shipping order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 2616
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\shipping order.exe' -ForceJump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Users\user\Desktop\shipping order.exe C:\Users\user\Desktop\shipping order.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order.exe' -Force
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\shipping order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\shipping order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: shipping order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: shipping order.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: shipping order.exeStatic file information: File size 2814976 > 1048576
        Source: shipping order.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x286400
        Source: shipping order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.349471169.0000000005237000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\shipping order.PDB8 source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbezi source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbe source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: shipping order.PDB" source: shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp
        Source: Binary string: System.Xml.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp, shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: oft.VisualBasic.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp, shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp, shipping order.exe, 0000000E.00000002.466963492.0000000000F68000.00000004.00000010.sdmp, shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: version.pdbi source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb= source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: System.Windows.Forms.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: shipping order.exe, 0000001D.00000002.598875742.0000000001007000.00000004.00000020.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: clrjit.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Users\user\Desktop\shipping order.PDB source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbe{ source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp, shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
        Source: Binary string: System.Core.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: w.pdb source: shipping order.exe, 0000001B.00000002.587581007.00000000010F8000.00000004.00000001.sdmp, shipping order.exe, 0000001D.00000002.587046674.0000000000CF8000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbk source: shipping order.exe, 0000000E.00000002.475556380.000000000126D000.00000004.00000020.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
        Source: Binary string: System.ni.pdbj source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb3 source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.531904186.00000000056A0000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: ic.pdbW source: shipping order.exe, 00000000.00000002.587470531.0000000000EF8000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb source: shipping order.exe, 0000001B.00000002.600047696.000000000148C000.00000004.00000020.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: shipping order.exe, 0000001B.00000002.598463851.00000000013F4000.00000004.00000020.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.pdbL source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: cryptbase.pdb{ source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: System.Management.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdboto source: shipping order.exe, 00000000.00000002.599854975.000000000128E000.00000004.00000020.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 00000023.00000003.529202443.00000000056D1000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.527846361.00000000056AA000.00000004.00000040.sdmp
        Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb6e8 source: shipping order.exe, 0000001B.00000002.599305749.0000000001428000.00000004.00000020.sdmp
        Source: Binary string: apphelp.pd<