Loading ...

Play interactive tourEdit tour

Analysis Report 0603321WG_0_1 pdf.exe

Overview

General Information

Sample Name:0603321WG_0_1 pdf.exe
Analysis ID:356527
MD5:9844048a2b7081d223139f100b0ff486
SHA1:1cb465daf8e6a202356db86a9380e94e6cc1fa4d
SHA256:283915d333318f5e8e7f30cdf8f8f96723da7af6ddab9c29c6f0b5a687157aa4
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 0603321WG_0_1 pdf.exe (PID: 7004 cmdline: 'C:\Users\user\Desktop\0603321WG_0_1 pdf.exe' MD5: 9844048A2B7081D223139F100B0FF486)
    • cmd.exe (PID: 4804 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4112 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • 0603321WG_0_1 pdf.exe (PID: 4500 cmdline: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe MD5: 9844048A2B7081D223139F100B0FF486)
    • WerFault.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 4972 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 9844048A2B7081D223139F100B0FF486)
    • cmd.exe (PID: 7148 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5672 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 6000 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 9844048A2B7081D223139F100B0FF486)
    • WerFault.exe (PID: 4660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1896 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 7056 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 9844048A2B7081D223139F100B0FF486)
    • cmd.exe (PID: 6240 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1692 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 5552 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 9844048A2B7081D223139F100B0FF486)
    • WerFault.exe (PID: 4780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1464 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "lD7CEXwZN", "URL: ": "http://IScLhfPkYRYa5.com", "To: ": "greatzills@gmail.com", "ByHost: ": "mail.orienttech.com.qa:587", "Password: ": "Y3O4R6toekwlmQ", "From: ": "sales@orienttech.com.qa"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.0603321WG_0_1 pdf.exe.47a2af0.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              19.2.NewApp.exe.650ce20.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.0603321WG_0_1 pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.0603321WG_0_1 pdf.exe.47d8910.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    19.2.NewApp.exe.6979bd8.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0603321WG_0_1 pdf.exe.4500.7.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "lD7CEXwZN", "URL: ": "http://IScLhfPkYRYa5.com", "To: ": "greatzills@gmail.com", "ByHost: ": "mail.orienttech.com.qa:587", "Password: ": "Y3O4R6toekwlmQ", "From: ": "sales@orienttech.com.qa"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeReversingLabs: Detection: 21%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0603321WG_0_1 pdf.exeReversingLabs: Detection: 21%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: 0603321WG_0_1 pdf.exeJoe Sandbox ML: detected
                      Source: 7.2.0603321WG_0_1 pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 28.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 27.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdbse$je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbOe@j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbYX&n source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbF source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdbUe:jC source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB13 source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb4 source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb< source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbL source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbN source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: psapi.pdb#N source: WerFault.exe, 0000001F.00000003.829483729.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: iertutil.pdbP source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbK source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb^ source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdbd source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdbIeNj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb. source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdbCeTj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbae6je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbv source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb>Y source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001F.00000003.806462338.0000000000A21000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0,J source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdbye source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13Z source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: J0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbV#jN source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdbm source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbme"j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: }C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB?p source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: .pdb, source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: rsaenh.pdbk source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb&& source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdbu source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb<Cwo source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbH source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810472818.0000000001543000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb6 source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDBI source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: wimm32.pdbO5 source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbD source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbh source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb** source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdb: source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001F.00000003.804994756.0000000000A15000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbg source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbs source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb1 source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBL source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000001F.00000003.829429051.0000000004E26000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdbb source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: ore.pdb source: WerFault.exe, 0000001F.00000003.829429051.0000000004E26000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdby source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001F.00000003.806548362.0000000000A27000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb/t)r source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: }}NewApp.PDB} source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb[e<jr source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://IScLhfPkYRYa5.com
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.914638851.0000000002E5C000.00000004.00000001.sdmpString found in binary or memory: http://IScLhfPkYRYa5.com
                      Source: NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://ajyrmk.com
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://mail.orienttech.com.qa
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.679176630.00000000047A2000.00000004.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmp, NewApp.exe, 0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.909001517.0000000000402000.00000040.00000001.sdmp, NewApp.exe, 0000001C.00000002.806272942.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: NewApp.exe, 0000000F.00000002.809472540.0000000001498000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 0_2_05C007200_2_05C00720
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E968307_2_00E96830
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E95AD07_2_00E95AD0
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9E2487_2_00E9E248
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9B0B97_2_00E9B0B9
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D8187_2_00E9D818
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D2AF7_2_00E9D2AF
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D3977_2_00E9D397
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D7237_2_00E9D723
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_029146A07_2_029146A0
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_029145D07_2_029145D0
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_0291D2817_2_0291D281
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F01CC87_2_05F01CC8
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F000407_2_05F00040
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F014487_2_05F01448
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F033407_2_05F03340
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F03ACC7_2_05F03ACC
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F06E7C7_2_05F06E7C
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F072687_2_05F07268
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F0A7287_2_05F0A728
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056846A027_2_056846A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056835C427_2_056835C4
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056845F027_2_056845F0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056845B027_2_056845B0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_0568465027_2_05684650
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_0568463027_2_05684630
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_0568539027_2_05685390
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_0568D28127_2_0568D281
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 28_2_02FE46A028_2_02FE46A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 28_2_02FE467228_2_02FE4672
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 28_2_02FE463028_2_02FE4630
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: invalid certificate
                      Source: 0603321WG_0_1 pdf.exeBinary or memory string: OriginalFilename vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.674955398.0000000004485000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.672052071.00000000032A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJcue ESf.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684283950.00000000059F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684283950.00000000059F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684453359.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000000.643196446.0000000000812000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUAudJRAa.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.683795735.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684560546.0000000005DB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exeBinary or memory string: OriginalFilename vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.920216690.0000000005C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912069890.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameJcue ESf.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912313952.0000000001030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.909531429.00000000007C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUAudJRAa.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb1
                      Source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/14@4/3
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile created: C:\Users\user\AppData\Roaming\NewAppJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4972
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD18D.tmpJump to behavior
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: 0603321WG_0_1 pdf.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe 'C:\Users\user\Desktop\0603321WG_0_1 pdf.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1464
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1896
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe C:\Users\user\Desktop\0603321WG_0_1 pdf.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdbse$je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbOe@j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbYX&n source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbF source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdbUe:jC source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB13 source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb4 source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb< source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbL source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbN source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: psapi.pdb#N source: WerFault.exe, 0000001F.00000003.829483729.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: iertutil.pdbP source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbK source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb^ source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdbd source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdbIeNj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb. source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdbCeTj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbae6je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbv source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb>Y source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001F.00000003.806462338.0000000000A21000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0,J source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdbye source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13Z source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: J0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbV#jN source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdbm source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbme"j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: }C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB?p source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: .pdb, source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: rsaenh.pdbk source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb&& source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdbu source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb<Cwo source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbH source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810472818.0000000001543000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb6 source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDBI source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: wimm32.pdbO5 source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbD source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbh source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb** source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp