Analysis Report A4-058000200390-10-14_REV_pdf.exe

Overview

General Information

Sample Name: A4-058000200390-10-14_REV_pdf.exe
Analysis ID: 356536
MD5: 5af8f94a752ca9996fbfbf01dcc30edd
SHA1: b52d9ba9b7890e2b51e64ab889805cfce5126ebb
SHA256: b37d450b7d60fd2497ae794e9835b999339549406b1a05d92bb46a9f1a23eb12
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: A4-058000200390-10-14_REV_pdf.exe.1572.8.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe ReversingLabs: Detection: 12%
Multi AV Scanner detection for submitted file
Source: A4-058000200390-10-14_REV_pdf.exe ReversingLabs: Detection: 12%
Antivirus or Machine Learning detection for unpacked file
Source: 31.2.NewApp.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 24.2.NewApp.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: urlmon.pdb* source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: iVisualBasic.pdb\3 source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb)gc}+ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb, source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb> source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: rasadhlp.pdb& source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbx source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: iVisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.PDB source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbn source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbw_ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb4 source: WerFault.exe, 0000000B.00000003.685897028.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb^ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: fwpuclnt.pdbF source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbh source: WerFault.exe, 0000001A.00000003.799925426.000000000523B000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: psapi.pdb!-0 source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb` source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbt source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ml.pdb&& source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdbP source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb* source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBn^ source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbr source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: .pdb8h source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdbrr source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl.* source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: A4-058000200390-10-14_REV_pdf.PDBZ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://2nUtGMgnxihCA8N2g.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.71.230 104.21.71.230
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587
Source: global traffic HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: unknown DNS traffic detected: queries for: coroloboxorozor.com
Source: NewApp.exe, 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916299146.0000000002A55000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916269984.0000000002A4C000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.915858947.000000000298E000.00000004.00000001.sdmp String found in binary or memory: http://2nUtGMgnxihCA8N2g.org
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp String found in binary or memory: http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.html
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.916340708.0000000002FFB000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916097296.0000000002A24000.00000004.00000001.sdmp String found in binary or memory: http://mail.soonlogistics.com
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_0643C37C SetWindowsHookExW 0000000D,00000000,?,? 24_2_0643C37C
Installs a global keyboard hook
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Creates a DirectInput object (often for capturing keystrokes)
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: A4-058000200390-10-14_REV_pdf.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E992E0 NtSetInformationThread, 0_2_00E992E0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9A031 NtSetInformationThread, 0_2_00E9A031
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD92E0 NtSetInformationThread, 18_2_02DD92E0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_024192E0 NtSetInformationThread, 19_2_024192E0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_0241A031 NtSetInformationThread, 19_2_0241A031
Detected potential crypto function
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E905A8 0_2_00E905A8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9C761 0_2_00E9C761
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E918F8 0_2_00E918F8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E95B10 0_2_00E95B10
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E90C60 0_2_00E90C60
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9BFE7 0_2_00E9BFE7
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E90598 0_2_00E90598
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E95520 0_2_00E95520
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E90C50 0_2_00E90C50
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D48210 8_2_02D48210
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D40320 8_2_02D40320
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D40040 8_2_02D40040
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D42743 8_2_02D42743
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D41F9C 8_2_02D41F9C
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D48200 8_2_02D48200
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D47389 8_2_02D47389
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D430A0 8_2_02D430A0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D4003B 8_2_02D4003B
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D477CD 8_2_02D477CD
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D47759 8_2_02D47759
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D41F90 8_2_02D41F90
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D42FAF 8_2_02D42FAF
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D41F3F 8_2_02D41F3F
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_02D43D90 8_2_02D43D90
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063A8268 8_2_063A8268
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ADAE0 8_2_063ADAE0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063A0098 8_2_063A0098
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AF4E8 8_2_063AF4E8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063A9EB8 8_2_063A9EB8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ADAA8 8_2_063ADAA8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AC681 8_2_063AC681
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ADAD0 8_2_063ADAD0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ADB67 8_2_063ADB67
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AA7FE 8_2_063AA7FE
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AC8CD 8_2_063AC8CD
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ACCC2 8_2_063ACCC2
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ACCC4 8_2_063ACCC4
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063ACD1A 8_2_063ACD1A
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AA558 8_2_063AA558
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AC5A8 8_2_063AC5A8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AC5A7 8_2_063AC5A7
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B9738 8_2_067B9738
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B8460 8_2_067B8460
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B0040 8_2_067B0040
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B90D0 8_2_067B90D0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B5538 8_2_067B5538
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B4D00 8_2_067B4D00
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B9AE7 8_2_067B9AE7
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DDC618 18_2_02DDC618
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD05A8 18_2_02DD05A8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD5B10 18_2_02DD5B10
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD18F8 18_2_02DD18F8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD2950 18_2_02DD2950
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DDBFF0 18_2_02DDBFF0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD0C60 18_2_02DD0C60
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD0598 18_2_02DD0598
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_02DD0C50 18_2_02DD0C50
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_02410598 19_2_02410598
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_02415B10 19_2_02415B10
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_024118F8 19_2_024118F8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_02412940 19_2_02412940
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_0241BFF0 19_2_0241BFF0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_02410C50 19_2_02410C50
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_0241CD41 19_2_0241CD41
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_02415520 19_2_02415520
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D22742 24_2_04D22742
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D20040 24_2_04D20040
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D28210 24_2_04D28210
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D20320 24_2_04D20320
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D27398 24_2_04D27398
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D21F9C 24_2_04D21F9C
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D20007 24_2_04D20007
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D28200 24_2_04D28200
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D20311 24_2_04D20311
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D277CD 24_2_04D277CD
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D27759 24_2_04D27759
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D2309E 24_2_04D2309E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D230A0 24_2_04D230A0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D27389 24_2_04D27389
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D23D90 24_2_04D23D90
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D21F90 24_2_04D21F90
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3A558 24_2_05D3A558
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3F4E8 24_2_05D3F4E8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D30098 24_2_05D30098
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3DAE0 24_2_05D3DAE0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3C5A1 24_2_05D3C5A1
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3C5A8 24_2_05D3C5A8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3A548 24_2_05D3A548
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3CD1A 24_2_05D3CD1A
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3F4D8 24_2_05D3F4D8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3CCC2 24_2_05D3CCC2
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3CCC4 24_2_05D3CCC4
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D37488 24_2_05D37488
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3A7FE 24_2_05D3A7FE
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3C681 24_2_05D3C681
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D39EB8 24_2_05D39EB8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3C8CD 24_2_05D3C8CD
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3DB67 24_2_05D3DB67
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3DAD5 24_2_05D3DAD5
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_063897AB 24_2_063897AB
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06388460 24_2_06388460
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06380040 24_2_06380040
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_063890D0 24_2_063890D0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06385538 24_2_06385538
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06384D00 24_2_06384D00
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06389AE7 24_2_06389AE7
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06387727 24_2_06387727
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06384424 24_2_06384424
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_0638001F 24_2_0638001F
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06385816 24_2_06385816
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06384CF0 24_2_06384CF0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_063890CB 24_2_063890CB
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_0638797E 24_2_0638797E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06435687 24_2_06435687
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_064336B0 24_2_064336B0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_064345B8 24_2_064345B8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_064372C0 24_2_064372C0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06438378 24_2_06438378
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06436338 24_2_06436338
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_0643B050 24_2_0643B050
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06438078 24_2_06438078
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06438E40 24_2_06438E40
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06433C18 24_2_06433C18
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06437DFE 24_2_06437DFE
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06439A20 24_2_06439A20
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_064335DA 24_2_064335DA
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_064345AA 24_2_064345AA
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06434218 24_2_06434218
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06434228 24_2_06434228
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06438369 24_2_06438369
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_0643B042 24_2_0643B042
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06437E49 24_2_06437E49
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06438E4E 24_2_06438E4E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06433C0A 24_2_06433C0A
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06439A1E 24_2_06439A1E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06437B2E 24_2_06437B2E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06439938 24_2_06439938
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E0040 31_2_016E0040
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E1F9C 31_2_016E1F9C
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E0006 31_2_016E0006
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E30A0 31_2_016E30A0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E3092 31_2_016E3092
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E3D90 31_2_016E3D90
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 31_2_016E2FAF 31_2_016E2FAF
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
PE / OLE file has an invalid certificate
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmp Binary or memory string: originalfilename vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.698714228.0000000003C29000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706578573.0000000005CF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696808510.00000000008A6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706664295.0000000005DD0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.913106033.000000000107A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920734902.0000000006790000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918507319.0000000005F40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.924161164.0000000006950000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000000.667116345.0000000000A56000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.923915829.00000000068E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912393634.0000000000BE7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920690884.0000000006780000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912217696.0000000000448000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Uses 32bit PE files
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp Binary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_7|
Source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server
Source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@27/16@6/3
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File created: C:\Users\user\AppData\Roaming\NewApp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2092
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1216
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD95.tmp Jump to behavior
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: A4-058000200390-10-14_REV_pdf.exe ReversingLabs: Detection: 12%
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File read: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
Source: unknown Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: A4-058000200390-10-14_REV_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: urlmon.pdb* source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: iVisualBasic.pdb\3 source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb)gc}+ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb, source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb> source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: rasadhlp.pdb& source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbx source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: iVisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.PDB source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdbn source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbw_ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb4 source: WerFault.exe, 0000000B.00000003.685897028.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb^ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source: Binary string: fwpuclnt.pdbF source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbh source: WerFault.exe, 0000001A.00000003.799925426.000000000523B000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source: Binary string: psapi.pdb!-0 source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb` source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdbt source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: ml.pdb&& source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdbP source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb* source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBn^ source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbr source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: .pdb8h source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: onfiguration.pdbrr source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl.* source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: A4-058000200390-10-14_REV_pdf.PDBZ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9E47A push ds; retf 0_2_00E9E47B
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9E685 push ds; retf 0_2_00E9E65E
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9E65C push ds; retf 0_2_00E9E65E
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9E890 push ds; retf 0_2_00E9E891
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9EAEF push ds; retf 0_2_00E9EAF1
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E9EA18 push ds; retf 0_2_00E9EA19
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E97D59 pushad ; retf 0005h 0_2_00E97D5A
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E99E51 push 00A405CAh; retf 0_2_00E99E56
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_05CE267B pushad ; retf 0_2_05CE2681
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AAA1C push es; iretd 8_2_063AAA1D
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063A465E push cs; ret 8_2_063A4664
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AE431 push esi; iretd 8_2_063AE432
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063AB58D push es; ret 8_2_063AB614
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_063A5187 push edi; retn 0000h 8_2_063A5189
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 18_2_05FE2678 pushad ; retf 18_2_05FE2681
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 19_2_05632678 pushad ; retf 19_2_05632681
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_04D26BC0 push 5D5F5E5Bh; ret 24_2_04D26BA3
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3E431 push esi; iretd 24_2_05D3E432
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D35187 push edi; retn 0000h 24_2_05D35189
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_05D3AA1C push es; iretd 24_2_05D3AA1D
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06383697 push es; iretd 24_2_063836B8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06386FBC pushad ; retf 24_2_06386FBD
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_063833C9 push ecx; iretd 24_2_063833CC
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_0638B1F6 push cs; ret 24_2_0638B1F7
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Code function: 24_2_06431B98 push esi; ret 24_2_06431B9B

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Jump to dropped file
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewApp Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Window / User API: threadDelayed 3080 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Window / User API: threadDelayed 1547 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Window / User API: threadDelayed 8247 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 455 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 2903 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 399 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 2121
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 1169
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 8261
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Window / User API: threadDelayed 1524
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 7044 Thread sleep count: 3080 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 7044 Thread sleep count: 223 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 7044 Thread sleep count: 223 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6180 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6172 Thread sleep count: 1547 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6172 Thread sleep count: 8247 > 30 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6180 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5832 Thread sleep count: 455 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5832 Thread sleep count: 2903 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5832 Thread sleep count: 399 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4696 Thread sleep count: 2121 > 30
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4696 Thread sleep count: 1169 > 30
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6124 Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6972 Thread sleep count: 8261 > 30
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6972 Thread sleep count: 1524 > 30
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6124 Thread sleep count: 43 > 30
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: NewApp.exe, 00000018.00000002.923839104.0000000006230000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.700535576.0000000004BD4000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886267678.0000000004BF4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.703491956.0000000004C80000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 0_2_00E992E0 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,00E99F4F,00000000,00000000 0_2_00E992E0
Hides threads from debuggers
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Code function: 8_2_067B8460 LdrInitializeThunk, 8_2_067B8460
Enables debug privileges
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Memory written: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Memory written: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Memory written: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.912000692.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.911999717.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.832293360.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 7040, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 2092, type: MEMORY
Source: Yara match File source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 6416, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 1216, type: MEMORY
Source: Yara match File source: 18.2.NewApp.exe.42f16b0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.NewApp.exe.42ac090.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.3855070.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.380fa50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.3855070.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.380fa50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.NewApp.exe.42ac090.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.NewApp.exe.42f16b0.7.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 6416, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.912000692.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.911999717.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.832293360.000000000380F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 7040, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 2092, type: MEMORY
Source: Yara match File source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 6416, type: MEMORY
Source: Yara match File source: Process Memory Space: NewApp.exe PID: 1216, type: MEMORY
Source: Yara match File source: 18.2.NewApp.exe.42f16b0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.NewApp.exe.42ac090.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.3855070.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.380fa50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.3855070.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.NewApp.exe.380fa50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.NewApp.exe.42ac090.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.NewApp.exe.42f16b0.7.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356536 Sample: A4-058000200390-10-14_REV_pdf.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected AgentTesla 2->74 76 3 other signatures 2->76 7 NewApp.exe 14 3 2->7         started        11 A4-058000200390-10-14_REV_pdf.exe 15 3 2->11         started        13 NewApp.exe 2->13         started        process3 dnsIp4 78 Multi AV Scanner detection for dropped file 7->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->82 84 Contains functionality to register a low level keyboard hook 7->84 15 NewApp.exe 7->15         started        19 cmd.exe 7->19         started        21 WerFault.exe 7->21         started        52 coroloboxorozor.com 104.21.71.230, 49734, 49753, 49764 CLOUDFLARENETUS United States 11->52 54 192.168.2.1 unknown unknown 11->54 86 Hides threads from debuggers 11->86 88 Injects a PE file into a foreign processes 11->88 90 Contains functionality to hide a thread from the debugger 11->90 23 A4-058000200390-10-14_REV_pdf.exe 2 9 11->23         started        26 cmd.exe 1 11->26         started        28 WerFault.exe 23 9 11->28         started        30 cmd.exe 13->30         started        32 NewApp.exe 13->32         started        34 WerFault.exe 13->34         started        signatures5 process6 dnsIp7 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->58 60 Tries to steal Mail credentials (via file access) 15->60 62 Tries to harvest and steal ftp login credentials 15->62 64 Tries to harvest and steal browser information (history, passwords, etc) 15->64 36 conhost.exe 19->36         started        38 timeout.exe 19->38         started        56 mail.soonlogistics.com 103.17.211.69, 49763, 49765, 49775 IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY Malaysia 23->56 48 C:\Users\user\AppData\Roaming\...48ewApp.exe, PE32 23->48 dropped 50 C:\Users\user\...50ewApp.exe:Zone.Identifier, ASCII 23->50 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->66 68 Installs a global keyboard hook 23->68 40 conhost.exe 26->40         started        42 timeout.exe 1 26->42         started        44 conhost.exe 30->44         started        46 timeout.exe 30->46         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.71.230
unknown United States
13335 CLOUDFLARENETUS false
103.17.211.69
unknown Malaysia
45352 IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
coroloboxorozor.com 104.21.71.230 true
mail.soonlogistics.com 103.17.211.69 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.html false
  • Avira URL Cloud: safe
unknown
http://2nUtGMgnxihCA8N2g.org true
  • Avira URL Cloud: safe
unknown
http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html false
  • Avira URL Cloud: safe
unknown