Analysis Report PRICE LIST (NOVEMBER 2020).exe

Overview

General Information

Sample Name:	PRICE LIST (NOVEMBER 2020).exe
Analysis ID:	356549
MD5:	404ef05a6acc67c2b59189171f9eb0fc
SHA1:	0ecf315e5a72a3c9ddd386d1116d2265877b4027
SHA256:	863d464bb43bda7378c611a5c16410a3c279ca72e447632f5e03f8418f5464d8
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: PRICE LIST (NOVEMBER 2020).exe.1508.8.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "uZpecWaWaVj1vP", "URL: ": "http://L2JzF7P98hlnK.net", "To: ": "jose.carvalho@electrobelarmino.pt", "ByHost: ": "mail.electrobelarmino.pt:587", "Password: ": "drqmyQWtkw41E", "From: ": "jose.carvalho@electrobelarmino.pt"}

Multi AV Scanner detection for submitted file

Source: PRICE LIST (NOVEMBER 2020).exe

ReversingLabs: Detection: 25%

Machine Learning detection for sample

Source: PRICE LIST (NOVEMBER 2020).exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: PRICE LIST (NOVEMBER 2020).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: PRICE LIST (NOVEMBER 2020).exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: System.Configuration.pdbY source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: nphjVisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb"" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: shlwapi.pdb% source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: rtutils.pdbE source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDB source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb! source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbL source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdbg source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbp source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdbS source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: indows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: PRICE LIST (NOVEMBER 2020).PDBr source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
Source:	Binary string: rasadhlp.pdb- source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDBY source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380724372.0000000000C80000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: ole32.pdb@ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbR source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERB99A.tmp.dmp.11.dr
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbzI source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: ore.pdb\\ source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3el source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERB99A.tmp.dmp.11.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: propsys.pdb5 source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*0 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: iertutil.pdb} source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbO source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbJ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb.' source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdblo source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
Source:	Binary string: cfgmgr32.pdbT source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: .pdb88 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb+ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb^ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://L2JzF7P98hlnK.net

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.21.71.230 104.21.71.230

Source: global traffic

HTTP traffic detected: GET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://CMvIqY.com
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.605811150.0000000002E2D000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606314503.0000000002EA5000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: http://L2JzF7P98hlnK.net
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.html
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://mail.electrobelarmino.pt
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/05
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PRICE LIST (NOVEMBER 2020).exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380542993.0000000000BCB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027DA0D0 NtSetInformationThread,		0_2_027DA0D0
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027DAE21 NtSetInformationThread,		0_2_027DAE21

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027D0690	0_2_027D0690
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027D2AD8	0_2_027D2AD8
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027D1BE9	0_2_027D1BE9
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027D5BE1	0_2_027D5BE1
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027D6E48	0_2_027D6E48
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_027DCDD8	0_2_027DCDD8
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00E46ACD	8_2_00E46ACD
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00E45B50	8_2_00E45B50
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F846A0	8_2_00F846A0
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F845B0	8_2_00F845B0
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F8D281	8_2_00F8D281

Source: PRICE LIST (NOVEMBER 2020).exe	Binary or memory string: OriginalFilename vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380026747.00000000004E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.383382280.0000000002E38000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePpFY VOt.exe2 vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380837285.0000000000E30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380542993.0000000000BCB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408068752.00000000069D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.407827121.00000000068E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.391196809.0000000005730000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.391196809.0000000005730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe	Binary or memory string: OriginalFilename vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603002518.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603514060.0000000000FAA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601471388.0000000000842000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.610163268.0000000006030000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.602969148.0000000000E90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePpFY VOt.exe2 vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRICE LIST (NOVEMBER 2020).exe
Source: PRICE LIST (NOVEMBER 2020).exe	Binary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe 'C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1	Jump to behavior

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_068D24EA pushfd ; ret	0_2_068D24ED
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 0_2_068D327A push eax; retf	0_2_068D327D
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00E4B597 push edi; retn 0000h	8_2_00E4B599
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F88B75 pushad ; ret	8_2_00F88B83
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F8D9E4 push cs; ret	8_2_00F8D9E5
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F8D9D4 push cs; ret	8_2_00F8D9D5
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Code function: 8_2_00F8D9C4 push cs; ret	8_2_00F8D9C5

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Window / User API: threadDelayed 385	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Window / User API: threadDelayed 2952	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Window / User API: threadDelayed 1389	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Window / User API: threadDelayed 8463	Jump to behavior

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 7028	Thread sleep count: 385 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 7028	Thread sleep count: 2952 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 6880	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 6920	Thread sleep count: 1389 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 6920	Thread sleep count: 8463 > 30	Jump to behavior

Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603913545.0000000001015000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: WerFault.exe, 0000000B.00000002.416819094.0000000004944000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380633022.0000000000C40000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Process token adjusted: Debug			Jump to behavior

Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.407424044.0000000006835000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 7024, type: MEMORY
Source: Yara match	File source: 0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508, type: MEMORY

Analysis Report PRICE LIST (NOVEMBER 2020).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	IP	Active
coroloboxorozor.com	104.21.71.230	true
mail.electrobelarmino.pt	109.71.43.243	true

Name	Malicious	Antivirus Detection	Reputation
http://L2JzF7P98hlnK.net	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.html	false	Avira URL Cloud: safe	unknown

ID:	356549
Product:	CloudBasic
Start time:	09:57:18
Start date:	23.02.2021
Sample:	PRICE LIST (NOVEMBER 2020).exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	404ef05a6acc67c2b59189171f9eb0fc
SHA1:	0ecf315e5a72a3c9ddd386d1116d2265877b4027
SHA256:	863d464bb43bda7378c611a5c16410a3c279ca72e447632f5e03f8418f5464d8
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PRICE LIST (NOVE_2669e49e9dcb5c7f076336b8bf762a6b5e1646_915b61a4_1a53eef2\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	6D2C097DF4D3059EC092A091C97A3831	82DC0B4978968722A56BD814F3A4CCFDBC5ABDBC	789338BB58CA739D236920017EEB239D7693FE12B36A1C2ABF5872DC04CF5FA7
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99A.tmp.dmp	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Feb 23 17:58:38 2021, 0x1205a4 type	5A4D0CDF07AE72AC9AB0EB3F74AB08A5	E7BF0A16C1871642760E1288C3A1CAD3190AB907	9DBF9E4F9CBBBE087D8E067B1FC56F9161FC6CEF3AE3EE145A31DDAB0C723084
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7A4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6AF5FDF92E90A0C83292F3C9D33FCC05	B9F910EF08C96184C3575D7B5D5D1720AA8A82B4	1B82C513BEAB7C25CA1478BAEFBA5AB27DB831D78798BC83A3F889774030C1ED
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBCC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	029B30A5F5B15B8ECB55D6067F686CC3	B77A0EC03763101D48BAA1D73F9F9CB555417C05	A7A63DF05F192787C5408AADEFD4C98215256A235F3124C90289BBA4541089C4