Play interactive tour

Edit tour

Analysis Report A4-058000200390-10-14_REV_pdf.exe

Overview

General Information

Sample Name:	A4-058000200390-10-14_REV_pdf.exe
Analysis ID:	356536
MD5:	5af8f94a752ca9996fbfbf01dcc30edd
SHA1:	b52d9ba9b7890e2b51e64ab889805cfce5126ebb
SHA256:	b37d450b7d60fd2497ae794e9835b999339549406b1a05d92bb46a9f1a23eb12
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

A4-058000200390-10-14_REV_pdf.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)

cmd.exe (PID: 1364 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 2228 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

A4-058000200390-10-14_REV_pdf.exe (PID: 1572 cmdline: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)

WerFault.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

NewApp.exe (PID: 2092 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)

cmd.exe (PID: 7132 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6576 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

NewApp.exe (PID: 6416 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)

WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

NewApp.exe (PID: 1216 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)

cmd.exe (PID: 4488 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5032 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

NewApp.exe (PID: 1504 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)

WerFault.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.912000692.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000018.00000002.911999717.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.832293360.000000000380F000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 7040	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NewApp.exe PID: 2092	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NewApp.exe PID: 6416	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NewApp.exe PID: 6416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NewApp.exe PID: 1216	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
18.2.NewApp.exe.42f16b0.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
31.2.NewApp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.NewApp.exe.42ac090.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.NewApp.exe.3855070.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
24.2.NewApp.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.NewApp.exe.380fa50.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.NewApp.exe.3855070.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.NewApp.exe.380fa50.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.NewApp.exe.42ac090.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.NewApp.exe.42f16b0.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: A4-058000200390-10-14_REV_pdf.exe.1572.8.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe

ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Show sources

Source: A4-058000200390-10-14_REV_pdf.exe

ReversingLabs: Detection: 12%

Source: 31.2.NewApp.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 24.2.NewApp.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbjB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: urlmon.pdb* source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdb\3 source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb@ source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb)gc}+ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb, source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb> source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: rasadhlp.pdb& source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbx source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: iVisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.PDB source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdbn source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbw_ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb4 source: WerFault.exe, 0000000B.00000003.685897028.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb^ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbL source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
Source:	Binary string: fwpuclnt.pdbF source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbh source: WerFault.exe, 0000001A.00000003.799925426.000000000523B000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source:	Binary string: psapi.pdb!-0 source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb` source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbt source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb&& source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdbP source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb* source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBn^ source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdbr source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: .pdb8h source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbr source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdbrr source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl.* source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: A4-058000200390-10-14_REV_pdf.PDBZ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://2nUtGMgnxihCA8N2g.org

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587

Source: global traffic	HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View

IP Address: 104.21.71.230 104.21.71.230

Source: Joe Sandbox View

ASN Name: IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587

Source: global traffic	HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: NewApp.exe, 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916299146.0000000002A55000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916269984.0000000002A4C000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.915858947.000000000298E000.00000004.00000001.sdmp	String found in binary or memory: http://2nUtGMgnxihCA8N2g.org
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.html
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.916340708.0000000002FFB000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916097296.0000000002A24000.00000004.00000001.sdmp	String found in binary or memory: http://mail.soonlogistics.com
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe

Code function: 24_2_0643C37C SetWindowsHookExW 0000000D,00000000,?,?

24_2_0643C37C

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\NewApp\NewApp.exe

Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: A4-058000200390-10-14_REV_pdf.exe

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E992E0 NtSetInformationThread,	0_2_00E992E0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E9A031 NtSetInformationThread,	0_2_00E9A031
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD92E0 NtSetInformationThread,	18_2_02DD92E0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_024192E0 NtSetInformationThread,	19_2_024192E0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_0241A031 NtSetInformationThread,	19_2_0241A031

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E905A8	0_2_00E905A8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E9C761	0_2_00E9C761
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E918F8	0_2_00E918F8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E95B10	0_2_00E95B10
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E90C60	0_2_00E90C60
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E9BFE7	0_2_00E9BFE7
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E90598	0_2_00E90598
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E95520	0_2_00E95520
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 0_2_00E90C50	0_2_00E90C50
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D48210	8_2_02D48210
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D40320	8_2_02D40320
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D40040	8_2_02D40040
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D42743	8_2_02D42743
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D41F9C	8_2_02D41F9C
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D48200	8_2_02D48200
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D47389	8_2_02D47389
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D430A0	8_2_02D430A0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D4003B	8_2_02D4003B
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D477CD	8_2_02D477CD
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D47759	8_2_02D47759
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D41F90	8_2_02D41F90
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D42FAF	8_2_02D42FAF
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D41F3F	8_2_02D41F3F
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_02D43D90	8_2_02D43D90
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063A8268	8_2_063A8268
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ADAE0	8_2_063ADAE0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063A0098	8_2_063A0098
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AF4E8	8_2_063AF4E8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063A9EB8	8_2_063A9EB8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ADAA8	8_2_063ADAA8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AC681	8_2_063AC681
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ADAD0	8_2_063ADAD0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ADB67	8_2_063ADB67
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AA7FE	8_2_063AA7FE
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AC8CD	8_2_063AC8CD
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ACCC2	8_2_063ACCC2
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ACCC4	8_2_063ACCC4
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063ACD1A	8_2_063ACD1A
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AA558	8_2_063AA558
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AC5A8	8_2_063AC5A8
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_063AC5A7	8_2_063AC5A7
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B9738	8_2_067B9738
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B8460	8_2_067B8460
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B0040	8_2_067B0040
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B90D0	8_2_067B90D0
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B5538	8_2_067B5538
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B4D00	8_2_067B4D00
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Code function: 8_2_067B9AE7	8_2_067B9AE7
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DDC618	18_2_02DDC618
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD05A8	18_2_02DD05A8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD5B10	18_2_02DD5B10
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD18F8	18_2_02DD18F8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD2950	18_2_02DD2950
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DDBFF0	18_2_02DDBFF0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD0C60	18_2_02DD0C60
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD0598	18_2_02DD0598
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 18_2_02DD0C50	18_2_02DD0C50
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_02410598	19_2_02410598
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_02415B10	19_2_02415B10
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_024118F8	19_2_024118F8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_02412940	19_2_02412940
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_0241BFF0	19_2_0241BFF0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_02410C50	19_2_02410C50
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_0241CD41	19_2_0241CD41
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 19_2_02415520	19_2_02415520
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D22742	24_2_04D22742
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D20040	24_2_04D20040
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D28210	24_2_04D28210
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D20320	24_2_04D20320
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D27398	24_2_04D27398
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D21F9C	24_2_04D21F9C
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D20007	24_2_04D20007
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D28200	24_2_04D28200
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D20311	24_2_04D20311
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D277CD	24_2_04D277CD
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D27759	24_2_04D27759
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D2309E	24_2_04D2309E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D230A0	24_2_04D230A0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D27389	24_2_04D27389
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D23D90	24_2_04D23D90
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_04D21F90	24_2_04D21F90
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3A558	24_2_05D3A558
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3F4E8	24_2_05D3F4E8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D30098	24_2_05D30098
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3DAE0	24_2_05D3DAE0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3C5A1	24_2_05D3C5A1
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3C5A8	24_2_05D3C5A8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3A548	24_2_05D3A548
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3CD1A	24_2_05D3CD1A
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3F4D8	24_2_05D3F4D8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3CCC2	24_2_05D3CCC2
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3CCC4	24_2_05D3CCC4
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D37488	24_2_05D37488
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3A7FE	24_2_05D3A7FE
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3C681	24_2_05D3C681
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D39EB8	24_2_05D39EB8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3C8CD	24_2_05D3C8CD
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3DB67	24_2_05D3DB67
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_05D3DAD5	24_2_05D3DAD5
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_063897AB	24_2_063897AB
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06388460	24_2_06388460
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06380040	24_2_06380040
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_063890D0	24_2_063890D0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06385538	24_2_06385538
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06384D00	24_2_06384D00
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06389AE7	24_2_06389AE7
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06387727	24_2_06387727
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06384424	24_2_06384424
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_0638001F	24_2_0638001F
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06385816	24_2_06385816
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06384CF0	24_2_06384CF0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_063890CB	24_2_063890CB
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_0638797E	24_2_0638797E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06435687	24_2_06435687
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_064336B0	24_2_064336B0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_064345B8	24_2_064345B8
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_064372C0	24_2_064372C0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06438378	24_2_06438378
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06436338	24_2_06436338
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_0643B050	24_2_0643B050
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06438078	24_2_06438078
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06438E40	24_2_06438E40
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06433C18	24_2_06433C18
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06437DFE	24_2_06437DFE
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06439A20	24_2_06439A20
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_064335DA	24_2_064335DA
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_064345AA	24_2_064345AA
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06434218	24_2_06434218
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06434228	24_2_06434228
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06438369	24_2_06438369
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_0643B042	24_2_0643B042
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06437E49	24_2_06437E49
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06438E4E	24_2_06438E4E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06433C0A	24_2_06433C0A
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06439A1E	24_2_06439A1E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06437B2E	24_2_06437B2E
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 24_2_06439938	24_2_06439938
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E0040	31_2_016E0040
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E1F9C	31_2_016E1F9C
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E0006	31_2_016E0006
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E30A0	31_2_016E30A0
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E3092	31_2_016E3092
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E3D90	31_2_016E3D90
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Code function: 31_2_016E2FAF	31_2_016E2FAF

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: invalid certificate

Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.698714228.0000000003C29000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706578573.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696808510.00000000008A6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706664295.0000000005DD0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.913106033.000000000107A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920734902.0000000006790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918507319.0000000005F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.924161164.0000000006950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000000.667116345.0000000000A56000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.923915829.00000000068E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912393634.0000000000BE7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920690884.0000000006780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912217696.0000000000448000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp	Binary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_7\|
Source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server
Source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/16@6/3

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

File created: C:\Users\user\AppData\Roaming\NewApp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2092
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1216
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD95.tmp

Jump to behavior

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: A4-058000200390-10-14_REV_pdf.exe

ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

File read: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Process created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe	Process created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: A4-058000200390-10-14_REV_pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp</

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report A4-058000200390-10-14_REV_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary: