Loading ...

Play interactive tourEdit tour

Analysis Report EXTRACTOSERFINANZA989543704031499704092798964.exe

Overview

General Information

Sample Name:EXTRACTOSERFINANZA989543704031499704092798964.exe
Analysis ID:399743
MD5:2e91e5e3d39ce4155edad4f2a3acf916
SHA1:58adf5d60d9da823a4fd62282c0c46134e20e47b
SHA256:eb9e13fd092522e4dde08e96961117f9926e3ef70ca3b225f8c388e476541a21
Tags:exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Country aware sample found (crashes after keyboard check)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to detect virtual machines (SGDT)
Contains functionality to detect virtual machines (SMSW)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXTRACTOSERFINANZA989543704031499704092798964.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe' MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • cmd.exe (PID: 7128 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6168 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • EXTRACTOSERFINANZA989543704031499704092798964.exe (PID: 6292 cmdline: C:\Users\user\Desktop\EXTRACTOSERFINANZA989543704031499704092798964.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
      • wscript.exe (PID: 6548 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 3400 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PxxoServicesTrialNet1.exe (PID: 5772 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
            • cmd.exe (PID: 7004 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • timeout.exe (PID: 7056 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
            • PxxoServicesTrialNet1.exe (PID: 7068 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
            • PxxoServicesTrialNet1.exe (PID: 4480 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
            • WerFault.exe (PID: 6388 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 1448 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 1496 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • PxxoServicesTrialNet1.exe (PID: 6648 cmdline: 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe' MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • cmd.exe (PID: 5048 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1444 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • PxxoServicesTrialNet1.exe (PID: 6360 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • PxxoServicesTrialNet1.exe (PID: 6788 cmdline: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • WerFault.exe (PID: 6596 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 1476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • PxxoServicesTrialNet1.exe (PID: 7144 cmdline: 'C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe' MD5: 2E91E5E3D39CE4155EDAD4F2A3ACF916)
    • cmd.exe (PID: 2240 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6224 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "databasepropersonombrecomercialideasearchwords.services:3521:uuo-qp", "Assigned name": "ArtilleriaRestore", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "PxxoServicesTrialNet1.exe", "Startup value": "MservicesOrg2", "Hide file": "Enable", "Mutex": "RemcosX2-Y057I8", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "xlogs171.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "System32", "Keylog folder": "Runtime12", "Keylog file max size": "10000"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpRemcos_1Remcos Payloadkevoreilly
    • 0x16510:$name: Remcos
    • 0x16888:$name: Remcos
    • 0x16de0:$name: Remcos
    • 0x16e33:$name: Remcos
    • 0x15674:$time: %02i:%02i:%02i:%03i
    • 0x156fc:$time: %02i:%02i:%02i:%03i
    • 0x16be4:$time: %02i:%02i:%02i:%03i
    • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
    00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
    • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
    • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x159e0:$str_b2: Executing file:
    • 0x16798:$str_b3: GetDirectListeningPort
    • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x16534:$str_b5: licence_code.txt
    • 0x1649c:$str_b6: \restart.vbs
    • 0x163c0:$str_b8: \uninstall.vbs
    • 0x1596c:$str_b9: Downloaded file:
    • 0x15998:$str_b10: Downloading file:
    • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
    • 0x159fc:$str_b12: Failed to upload file:
    • 0x167d8:$str_b13: StartForward
    • 0x167bc:$str_b14: StopForward
    • 0x16330:$str_b15: fso.DeleteFile "
    • 0x16394:$str_b16: On Error Resume Next
    • 0x162fc:$str_b17: fso.DeleteFolder "
    • 0x15a14:$str_b18: Uploaded file:
    00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmpRemcos_1Remcos Payloadkevoreilly
      • 0x16510:$name: Remcos
      • 0x16888:$name: Remcos
      • 0x16de0:$name: Remcos
      • 0x16e33:$name: Remcos
      • 0x15674:$time: %02i:%02i:%02i:%03i
      • 0x156fc:$time: %02i:%02i:%02i:%03i
      • 0x16be4:$time: %02i:%02i:%02i:%03i
      • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpackRemcos_1Remcos Payloadkevoreilly
        • 0x16510:$name: Remcos
        • 0x16888:$name: Remcos
        • 0x16de0:$name: Remcos
        • 0x16e33:$name: Remcos
        • 0x15674:$time: %02i:%02i:%02i:%03i
        • 0x156fc:$time: %02i:%02i:%02i:%03i
        • 0x16be4:$time: %02i:%02i:%02i:%03i
        • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
        33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
        • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
        • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x159e0:$str_b2: Executing file:
        • 0x16798:$str_b3: GetDirectListeningPort
        • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x16534:$str_b5: licence_code.txt
        • 0x1649c:$str_b6: \restart.vbs
        • 0x163c0:$str_b8: \uninstall.vbs
        • 0x1596c:$str_b9: Downloaded file:
        • 0x15998:$str_b10: Downloading file:
        • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
        • 0x159fc:$str_b12: Failed to upload file:
        • 0x167d8:$str_b13: StartForward
        • 0x167bc:$str_b14: StopForward
        • 0x16330:$str_b15: fso.DeleteFile "
        • 0x16394:$str_b16: On Error Resume Next
        • 0x162fc:$str_b17: fso.DeleteFolder "
        • 0x15a14:$str_b18: Uploaded file:
        16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpackRemcos_1Remcos Payloadkevoreilly
          • 0x16510:$name: Remcos
          • 0x16888:$name: Remcos
          • 0x16de0:$name: Remcos
          • 0x16e33:$name: Remcos
          • 0x15674:$time: %02i:%02i:%02i:%03i
          • 0x156fc:$time: %02i:%02i:%02i:%03i
          • 0x16be4:$time: %02i:%02i:%02i:%03i
          • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
          Click to see the 57 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: RemcosShow sources
          Source: Registry Key setAuthor: Joe Security: Data: Details: ED 7B 37 DF 39 55 50 9B 55 9D 08 40 1D 41 4B D4 20 95 6C A2 D8 29 76 33 44 E7 95 ED A9 D3 02 30 B2 4C 86 FC 4B 2B 1E CE 8D AD 65 88 FB 0D AA 8F 2D 8F 33 21 AE D3 AD B9 0A A8 65 CD 72 78 4C C3 D1 F4 FB 00 C2 E7 08 86 C1 A6 B8 B7 D6 9E 3B 53 3D 90 59 1A CE 08 A5 CA 19 1A 22 2B 9A D8 22 36 6C 1E 09 FF 2B FD A7 DE 30 09 87 13 9D AD 22 F5 39 10 6B 62 68 CE 98 57 45 C7 2A 6F 32 DC 6F 74 14 85 F1 CF , EventID: 13, Image: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exe, ProcessId: 4480, TargetObject: HKEY_CURRENT_USER\Software\RemcosX2-Y057I8\exepath

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": "databasepropersonombrecomercialideasearchwords.services:3521:uuo-qp", "Assigned name": "ArtilleriaRestore", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "PxxoServicesTrialNet1.exe", "Startup value": "MservicesOrg2", "Hide file": "Enable", "Mutex": "RemcosX2-Y057I8", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "xlogs171.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "System32", "Keylog folder": "Runtime12", "Keylog file max size": "10000"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: databasepropersonombrecomercialideasearchwords.servicesVirustotal: Detection: 12%Perma Link
          Source: databasepropersonombrecomercialideasearchwords.servicesVirustotal: Detection: 12%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeReversingLabs: Detection: 10%
          Multi AV Scanner detection for submitted fileShow sources
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeReversingLabs: Detection: 10%
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000019.00000002.914491877.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.664656928.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.780636700.0000000003E8B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.710784907.0000000004374000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.706118629.0000000003969000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.781443613.00000000049AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.771805512.000000000559E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.752626728.0000000003279000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.728536035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.766450964.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.759339292.0000000003C85000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 4480, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 7144, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 5772, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: EXTRACTOSERFINANZA989543704031499704092798964.exe PID: 6880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PxxoServicesTrialNet1.exe PID: 6788, type: MEMORY
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeJoe Sandbox ML: detected
          Source: 24.2.PxxoServicesTrialNet1.exe.3ca6f88.4.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 7.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 15.2.PxxoServicesTrialNet1.exe.559e920.4.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 16.2.PxxoServicesTrialNet1.exe.49ce510.5.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 33.2.PxxoServicesTrialNet1.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 15.2.PxxoServicesTrialNet1.exe.55bf940.3.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 25.2.PxxoServicesTrialNet1.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4395598.4.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 1.2.EXTRACTOSERFINANZA989543704031499704092798964.exe.4374578.5.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 16.2.PxxoServicesTrialNet1.exe.49ad4f0.6.unpackAvira: Label: BDS/Backdoor.Gen
          Source: 24.2.PxxoServicesTrialNet1.exe.3c85f68.3.unpackAvira: Label: BDS/Backdoor.Gen
          Source: EXTRACTOSERFINANZA989543704031499704092798964.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbH{ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb% source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721117453.000000000458B000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733685179.0000000004F2D000.00000004.00000001.sdmp
          Source: Binary string: PxxoServicesTrialNet1.PDB source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: ml.pdb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.pdb99zz source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb> source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbCE source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: bcrypt.pdb1 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.668670088.00000000030C8000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721650694.00000000006C6000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.733540972.0000000003285000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb8 source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDB@Jh source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbtE source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701319384.00000000014AB000.00000004.00000020.sdmp
          Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbkE source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: CLBCatQ.pdbC source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701291575.0000000001499000.00000004.00000020.sdmp
          Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: ole32.pdbX source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdb+ source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdbY source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdbv source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb7 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdber source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: propsys.pdba source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb, source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbWS source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: urlmon.pdbs source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb7cZ^ source: PxxoServicesTrialNet1.exe, 0000000F.00000002.765912392.0000000001282000.00000004.00000020.sdmp
          Source: Binary string: WLDP.pdbl source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb2 source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbq source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: iVisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.698512628.00000000010F8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765005138.0000000000EF8000.00000004.00000001.sdmp, PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb, source: WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb% source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb~ source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701202553.000000000143F000.00000004.00000020.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.668176403.00000000030C2000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.721203841.00000000006C0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.734239841.000000000327F000.00000004.00000001.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.681869437.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734900230.0000000004AF1000.00000004.00000001.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\AppData\Roaming\System32\PxxoServicesTrialNet1.PDB source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000C.00000003.681835852.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734932038.0000000004AC5000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746862935.0000000002DE5000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: .pdbAx source: PxxoServicesTrialNet1.exe, 00000010.00000002.775167654.0000000001538000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701291575.0000000001499000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: .pdb% source: WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.681925394.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.735005331.0000000004AC0000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000C.00000003.681825978.00000000052E5000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb" source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: EXTRACTOSERFINANZA989543704031499704092798964.exe, 00000001.00000002.701306786.00000000014A8000.00000004.00000020.sdmp, PxxoServicesTrialNet1.exe, 0000000F.00000002.765835715.000000000121F000.00000004.00000020.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734788443.0000000004AD5000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.746630451.0000000002DF5000.00000004.00000001.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: version.pdbb source: WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000C.00000002.697878831.00000000053F0000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.762864959.0000000004CD0000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.774116993.00000000054F0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000C.00000003.681843597.00000000052D8000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.734730861.0000000004AC8000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.746882968.0000000002DE8000.00000004.00000040.sdmp
          Source