Loading ...

Play interactive tourEdit tour

Analysis Report A4-058000200390-10-14_REV_pdf.exe

Overview

General Information

Sample Name:A4-058000200390-10-14_REV_pdf.exe
Analysis ID:356536
MD5:5af8f94a752ca9996fbfbf01dcc30edd
SHA1:b52d9ba9b7890e2b51e64ab889805cfce5126ebb
SHA256:b37d450b7d60fd2497ae794e9835b999339549406b1a05d92bb46a9f1a23eb12
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • A4-058000200390-10-14_REV_pdf.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • cmd.exe (PID: 1364 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 2228 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 2092 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • cmd.exe (PID: 7132 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6576 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 6416 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 1216 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • cmd.exe (PID: 4488 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5032 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 1504 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • WerFault.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.NewApp.exe.42f16b0.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              31.2.NewApp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.NewApp.exe.42ac090.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exe.1572.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeReversingLabs: Detection: 12%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exeReversingLabs: Detection: 12%
                      Source: 31.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 24.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: urlmon.pdb* source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: iVisualBasic.pdb\3 source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb)gc}+ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb, source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb> source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: rasadhlp.pdb& source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbx source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.PDB source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbn source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbw_ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb4 source: WerFault.exe, 0000000B.00000003.685897028.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb^ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbF source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbh source: WerFault.exe, 0000001A.00000003.799925426.000000000523B000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: psapi.pdb!-0 source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb` source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdbt source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: ml.pdb&& source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: dhcpcsvc.pdbP source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb* source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBn^ source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdbr source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: .pdb8h source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdbrr source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl.* source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: A4-058000200390-10-14_REV_pdf.PDBZ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://2nUtGMgnxihCA8N2g.org
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
                      Source: Joe Sandbox ViewASN Name: IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                      Source: NewApp.exe, 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916299146.0000000002A55000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916269984.0000000002A4C000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.915858947.000000000298E000.00000004.00000001.sdmpString found in binary or memory: http://2nUtGMgnxihCA8N2g.org
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.html
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.916340708.0000000002FFB000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916097296.0000000002A24000.00000004.00000001.sdmpString found in binary or memory: http://mail.soonlogistics.com
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643C37C SetWindowsHookExW 0000000D,00000000,?,?24_2_0643C37C
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: A4-058000200390-10-14_REV_pdf.exe
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E992E0 NtSetInformationThread,0_2_00E992E0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9A031 NtSetInformationThread,0_2_00E9A031
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD92E0 NtSetInformationThread,18_2_02DD92E0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_024192E0 NtSetInformationThread,19_2_024192E0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241A031 NtSetInformationThread,19_2_0241A031
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E905A80_2_00E905A8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9C7610_2_00E9C761
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E918F80_2_00E918F8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E95B100_2_00E95B10
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E90C600_2_00E90C60
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9BFE70_2_00E9BFE7
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E905980_2_00E90598
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E955200_2_00E95520
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E90C500_2_00E90C50
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D482108_2_02D48210
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D403208_2_02D40320
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D400408_2_02D40040
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D427438_2_02D42743
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D41F9C8_2_02D41F9C
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D482008_2_02D48200
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D473898_2_02D47389
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D430A08_2_02D430A0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D4003B8_2_02D4003B
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D477CD8_2_02D477CD
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D477598_2_02D47759
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D41F908_2_02D41F90
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D42FAF8_2_02D42FAF
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D41F3F8_2_02D41F3F
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D43D908_2_02D43D90
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A82688_2_063A8268
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADAE08_2_063ADAE0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A00988_2_063A0098
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AF4E88_2_063AF4E8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A9EB88_2_063A9EB8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADAA88_2_063ADAA8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC6818_2_063AC681
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADAD08_2_063ADAD0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADB678_2_063ADB67
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AA7FE8_2_063AA7FE
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC8CD8_2_063AC8CD
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ACCC28_2_063ACCC2
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ACCC48_2_063ACCC4
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ACD1A8_2_063ACD1A
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AA5588_2_063AA558
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC5A88_2_063AC5A8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC5A78_2_063AC5A7
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B97388_2_067B9738
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B84608_2_067B8460
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B00408_2_067B0040
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B90D08_2_067B90D0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B55388_2_067B5538
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B4D008_2_067B4D00
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B9AE78_2_067B9AE7
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DDC61818_2_02DDC618
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD05A818_2_02DD05A8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD5B1018_2_02DD5B10
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD18F818_2_02DD18F8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD295018_2_02DD2950
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DDBFF018_2_02DDBFF0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD0C6018_2_02DD0C60
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD059818_2_02DD0598
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD0C5018_2_02DD0C50
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241059819_2_02410598
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02415B1019_2_02415B10
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_024118F819_2_024118F8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241294019_2_02412940
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241BFF019_2_0241BFF0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02410C5019_2_02410C50
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241CD4119_2_0241CD41
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241552019_2_02415520
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2274224_2_04D22742
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2004024_2_04D20040
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2821024_2_04D28210
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2032024_2_04D20320
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2739824_2_04D27398
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D21F9C24_2_04D21F9C
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2000724_2_04D20007
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2820024_2_04D28200
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2031124_2_04D20311
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D277CD24_2_04D277CD
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2775924_2_04D27759
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2309E24_2_04D2309E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D230A024_2_04D230A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2738924_2_04D27389
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D23D9024_2_04D23D90
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D21F9024_2_04D21F90
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3A55824_2_05D3A558
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3F4E824_2_05D3F4E8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3009824_2_05D30098
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3DAE024_2_05D3DAE0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C5A124_2_05D3C5A1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C5A824_2_05D3C5A8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3A54824_2_05D3A548
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3CD1A24_2_05D3CD1A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3F4D824_2_05D3F4D8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3CCC224_2_05D3CCC2
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3CCC424_2_05D3CCC4
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3748824_2_05D37488
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3A7FE24_2_05D3A7FE
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C68124_2_05D3C681
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D39EB824_2_05D39EB8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C8CD24_2_05D3C8CD
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3DB6724_2_05D3DB67
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3DAD524_2_05D3DAD5
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063897AB24_2_063897AB
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638846024_2_06388460
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638004024_2_06380040
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063890D024_2_063890D0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638553824_2_06385538
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06384D0024_2_06384D00
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06389AE724_2_06389AE7
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638772724_2_06387727
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638442424_2_06384424
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638001F24_2_0638001F
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638581624_2_06385816
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06384CF024_2_06384CF0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063890CB24_2_063890CB
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638797E24_2_0638797E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643568724_2_06435687
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064336B024_2_064336B0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064345B824_2_064345B8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064372C024_2_064372C0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643837824_2_06438378
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643633824_2_06436338
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643B05024_2_0643B050
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643807824_2_06438078
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438E4024_2_06438E40
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06433C1824_2_06433C18
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06437DFE24_2_06437DFE
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06439A2024_2_06439A20
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064335DA24_2_064335DA
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064345AA24_2_064345AA
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643421824_2_06434218
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643422824_2_06434228
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643836924_2_06438369
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643B04224_2_0643B042
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06437E4924_2_06437E49
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438E4E24_2_06438E4E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06433C0A24_2_06433C0A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06439A1E24_2_06439A1E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06437B2E24_2_06437B2E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643993824_2_06439938
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E004031_2_016E0040
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E1F9C31_2_016E1F9C
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E000631_2_016E0006
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E30A031_2_016E30A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E309231_2_016E3092
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E3D9031_2_016E3D90
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E2FAF31_2_016E2FAF
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: invalid certificate
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.698714228.0000000003C29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706578573.0000000005CF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696808510.00000000008A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706664295.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.913106033.000000000107A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920734902.0000000006790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918507319.0000000005F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.924161164.0000000006950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000000.667116345.0000000000A56000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.923915829.00000000068E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912393634.0000000000BE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920690884.0000000006780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912217696.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_7|
                      Source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server
                      Source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/16@6/3
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile created: C:\Users\user\AppData\Roaming\NewAppJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2092
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1216
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD95.tmpJump to behavior
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: A4-058000200390-10-14_REV_pdf.exeReversingLabs: Detection: 12%
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp</