Loading ...

Play interactive tourEdit tour

Analysis Report PRICE LIST (NOVEMBER 2020).exe

Overview

General Information

Sample Name:PRICE LIST (NOVEMBER 2020).exe
Analysis ID:356549
MD5:404ef05a6acc67c2b59189171f9eb0fc
SHA1:0ecf315e5a72a3c9ddd386d1116d2265877b4027
SHA256:863d464bb43bda7378c611a5c16410a3c279ca72e447632f5e03f8418f5464d8
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PRICE LIST (NOVEMBER 2020).exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe' MD5: 404EF05A6ACC67C2B59189171F9EB0FC)
    • cmd.exe (PID: 5932 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4852 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 6704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "uZpecWaWaVj1vP", "URL: ": "http://L2JzF7P98hlnK.net", "To: ": "jose.carvalho@electrobelarmino.pt", "ByHost: ": "mail.electrobelarmino.pt:587", "Password: ": "drqmyQWtkw41E", "From: ": "jose.carvalho@electrobelarmino.pt"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.407424044.0000000006835000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exe.1508.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "uZpecWaWaVj1vP", "URL: ": "http://L2JzF7P98hlnK.net", "To: ": "jose.carvalho@electrobelarmino.pt", "ByHost: ": "mail.electrobelarmino.pt:587", "Password: ": "drqmyQWtkw41E", "From: ": "jose.carvalho@electrobelarmino.pt"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeReversingLabs: Detection: 25%
                  Machine Learning detection for sampleShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeJoe Sandbox ML: detected
                  Source: 8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Compliance:

                  barindex
                  Uses 32bit PE filesShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Binary contains paths to debug symbolsShow sources
                  Source: Binary string: System.Configuration.pdbY source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: nphjVisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb"" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: shlwapi.pdb% source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: rtutils.pdbE source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDB source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb! source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdbL source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: edputil.pdbg source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbp source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdbS source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: indows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: PRICE LIST (NOVEMBER 2020).PDBr source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: rasadhlp.pdb- source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDBY source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380724372.0000000000C80000.00000004.00000020.sdmp
                  Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: ole32.pdb@ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdbR source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbzI source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb\\ source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdbT3el source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: propsys.pdb5 source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*0 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: iertutil.pdb} source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdbO source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdbJ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb.' source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdblo source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: .pdb88 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wUxTheme.pdb+ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb^ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://L2JzF7P98hlnK.net
                  Source: global trafficHTTP traffic detected: GET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
                  Source: global trafficHTTP traffic detected: GET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://CMvIqY.com
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.605811150.0000000002E2D000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606314503.0000000002EA5000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://L2JzF7P98hlnK.net
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.html
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://mail.electrobelarmino.pt
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://ocsp.digicert.com0O
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: https://www.digicert.com/CPS0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380542993.0000000000BCB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DA0D0 NtSetInformationThread,0_2_027DA0D0
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DAE21 NtSetInformationThread,0_2_027DAE21
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D06900_2_027D0690
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D2AD80_2_027D2AD8
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D1BE90_2_027D1BE9
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D5BE10_2_027D5BE1
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D6E480_2_027D6E48
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DCDD80_2_027DCDD8
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00E46ACD8_2_00E46ACD
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00E45B508_2_00E45B50
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F846A08_2_00F846A0
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F845B08_2_00F845B0
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D2818_2_00F8D281
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: invalid certificate
                  Source: PRICE LIST (NOVEMBER 2020).exeBinary or memory string: OriginalFilename vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380026747.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.383382280.0000000002E38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePpFY VOt.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380837285.0000000000E30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380542993.0000000000BCB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408068752.00000000069D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.407827121.00000000068E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.391196809.0000000005730000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.391196809.0000000005730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exeBinary or memory string: OriginalFilename vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603002518.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603514060.0000000000FAA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601471388.0000000000842000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.610163268.0000000006030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.602969148.0000000000E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePpFY VOt.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exeBinary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/4@2/1
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99A.tmpJump to behavior
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: PRICE LIST (NOVEMBER 2020).exeReversingLabs: Detection: 25%
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe 'C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                  Source: unknownProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1Jump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1Jump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Configuration.pdbY source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: nphjVisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb"" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: shlwapi.pdb% source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: rtutils.pdbE source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDB source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb! source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdbL source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: edputil.pdbg source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbp source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdbS source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: indows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: PRICE LIST (NOVEMBER 2020).PDBr source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: rasadhlp.pdb- source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDBY source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380724372.0000000000C80000.00000004.00000020.sdmp
                  Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: ole32.pdb@ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdbR source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbzI source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb\\ source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdbT3el source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: propsys.pdb5 source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*0 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: iertutil.pdb} source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdbO source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdbJ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb.' source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdblo source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: .pdb88 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wUxTheme.pdb+ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb^ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp

                  Data Obfuscation:

                  barindex
                  Binary contains a suspicious time stampShow sources
                  Source: initial sampleStatic PE information: 0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_068D24EA pushfd ; ret 0_2_068D24ED
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_068D327A push eax; retf 0_2_068D327D
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00E4B597 push edi; retn 0000h8_2_00E4B599
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F88B75 pushad ; ret 8_2_00F88B83
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D9E4 push cs; ret 8_2_00F8D9E5
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D9D4 push cs; ret 8_2_00F8D9D5
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D9C4 push cs; ret 8_2_00F8D9C5
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.84633802835
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion: