Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PRICE LIST (NOVEMBER 2020).exe

Overview

General Information

Sample Name:PRICE LIST (NOVEMBER 2020).exe
Analysis ID:356549
MD5:404ef05a6acc67c2b59189171f9eb0fc
SHA1:0ecf315e5a72a3c9ddd386d1116d2265877b4027
SHA256:863d464bb43bda7378c611a5c16410a3c279ca72e447632f5e03f8418f5464d8
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • PRICE LIST (NOVEMBER 2020).exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe' MD5: 404EF05A6ACC67C2B59189171F9EB0FC)
    • cmd.exe (PID: 5932 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 4852 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 6704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "uZpecWaWaVj1vP", "URL: ": "http://L2JzF7P98hlnK.net", "To: ": "jose.carvalho@electrobelarmino.pt", "ByHost: ": "mail.electrobelarmino.pt:587", "Password: ": "drqmyQWtkw41E", "From: ": "jose.carvalho@electrobelarmino.pt"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.407424044.0000000006835000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exe.1508.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "uZpecWaWaVj1vP", "URL: ": "http://L2JzF7P98hlnK.net", "To: ": "jose.carvalho@electrobelarmino.pt", "ByHost: ": "mail.electrobelarmino.pt:587", "Password: ": "drqmyQWtkw41E", "From: ": "jose.carvalho@electrobelarmino.pt"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeReversingLabs: Detection: 25%
                  Machine Learning detection for sampleShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeJoe Sandbox ML: detected
                  Source: 8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                  Compliance:

                  barindex
                  Uses 32bit PE filesShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Binary contains paths to debug symbolsShow sources
                  Source: Binary string: System.Configuration.pdbY source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: nphjVisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb"" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: shlwapi.pdb% source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: rtutils.pdbE source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDB source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb! source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdbL source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: edputil.pdbg source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbp source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdbS source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: indows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: PRICE LIST (NOVEMBER 2020).PDBr source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: rasadhlp.pdb- source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDBY source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380724372.0000000000C80000.00000004.00000020.sdmp
                  Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: ole32.pdb@ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdbR source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbzI source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb\\ source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdbT3el source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: propsys.pdb5 source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*0 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: iertutil.pdb} source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdbO source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdbJ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb.' source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdblo source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: .pdb88 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wUxTheme.pdb+ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb^ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://L2JzF7P98hlnK.net
                  Source: global trafficHTTP traffic detected: GET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.71.230 104.21.71.230
                  Source: global trafficHTTP traffic detected: GET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://CMvIqY.com
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.605811150.0000000002E2D000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606314503.0000000002EA5000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://L2JzF7P98hlnK.net
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.html
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://mail.electrobelarmino.pt
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://ocsp.digicert.com0O
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/05
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: PRICE LIST (NOVEMBER 2020).exeString found in binary or memory: https://www.digicert.com/CPS0
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380542993.0000000000BCB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DA0D0 NtSetInformationThread,
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DAE21 NtSetInformationThread,
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D0690
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D2AD8
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D1BE9
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D5BE1
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027D6E48
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DCDD8
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00E46ACD
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00E45B50
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F846A0
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F845B0
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D281
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: invalid certificate
                  Source: PRICE LIST (NOVEMBER 2020).exeBinary or memory string: OriginalFilename vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380026747.00000000004E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.383382280.0000000002E38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePpFY VOt.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380837285.0000000000E30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380542993.0000000000BCB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408068752.00000000069D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.407827121.00000000068E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.391196809.0000000005730000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.391196809.0000000005730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exeBinary or memory string: OriginalFilename vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603002518.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603514060.0000000000FAA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601471388.0000000000842000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.610163268.0000000006030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.602969148.0000000000E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePpFY VOt.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exeBinary or memory string: OriginalFilenameVHQefUyV.exe2 vs PRICE LIST (NOVEMBER 2020).exe
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/4@2/1
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99A.tmpJump to behavior
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: PRICE LIST (NOVEMBER 2020).exeReversingLabs: Detection: 25%
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile read: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe 'C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                  Source: unknownProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: PRICE LIST (NOVEMBER 2020).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Configuration.pdbY source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: nphjVisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb"" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: shlwapi.pdb% source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: rtutils.pdbE source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDB source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: i.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: urlmon.pdb! source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdbL source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: edputil.pdbg source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbp source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdbS source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: indows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: PRICE LIST (NOVEMBER 2020).PDBr source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: rasadhlp.pdb- source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).PDBY source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380724372.0000000000C80000.00000004.00000020.sdmp
                  Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb13 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: ole32.pdb@ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: cryptsp.pdbR source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbzI source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb\\ source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdbT3el source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: System.Xml.ni.pdb-' source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: propsys.pdb5 source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb*0 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: iertutil.pdb} source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdbO source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.391923928.0000000004F6B000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdbJ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb.' source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdblo source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERB99A.tmp.dmp.11.dr
                  Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380581139.0000000000BFE000.00000004.00000020.sdmp
                  Source: Binary string: cfgmgr32.pdbT source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: .pdb88 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380203854.00000000008F7000.00000004.00000010.sdmp
                  Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb* source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380681653.0000000000C5B000.00000004.00000020.sdmp
                  Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.392204198.0000000004F61000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.392568947.0000000004F60000.00000004.00000040.sdmp
                  Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbi18 source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380744894.0000000000C9B000.00000004.00000020.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.392115452.0000000004F91000.00000004.00000001.sdmp
                  Source: Binary string: wUxTheme.pdb+ source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.391966580.0000000004F62000.00000004.00000040.sdmp
                  Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp
                  Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb^ source: WerFault.exe, 0000000B.00000003.391979190.0000000004F67000.00000004.00000040.sdmp
                  Source: Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000002.417601833.0000000005180000.00000004.00000001.sdmp, WERB99A.tmp.dmp.11.dr
                  Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp
                  Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.392017324.0000000004F73000.00000004.00000040.sdmp

                  Data Obfuscation:

                  barindex
                  Binary contains a suspicious time stampShow sources
                  Source: initial sampleStatic PE information: 0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_068D24EA pushfd ; ret
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_068D327A push eax; retf
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00E4B597 push edi; retn 0000h
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F88B75 pushad ; ret
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D9E4 push cs; ret
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D9D4 push cs; ret
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 8_2_00F8D9C4 push cs; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 6.84633802835
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWindow / User API: threadDelayed 385
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWindow / User API: threadDelayed 2952
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWindow / User API: threadDelayed 1389
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWindow / User API: threadDelayed 8463
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 7028Thread sleep count: 385 > 30
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 7028Thread sleep count: 2952 > 30
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 6880Thread sleep time: -18446744073709540s >= -30000s
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 6920Thread sleep count: 1389 > 30
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe TID: 6920Thread sleep count: 8463 > 30
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.603913545.0000000001015000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                  Source: WerFault.exe, 0000000B.00000002.416819094.0000000004944000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.380633022.0000000000C40000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.390833495.0000000004DF0000.00000002.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.609887312.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.417000819.0000000004C40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess information queried: ProcessInformation

                  Anti Debugging:

                  barindex
                  Contains functionality to hide a thread from the debuggerShow sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeCode function: 0_2_027DA0D0 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,027DAD3F,00000000,00000000
                  Hides threads from debuggersShow sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeThread information set: HideFromDebugger
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeMemory written: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeProcess created: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604422396.0000000001530000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.407424044.0000000006835000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 7024, type: MEMORY
                  Source: Yara matchFile source: 0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: Yara matchFile source: 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.407424044.0000000006835000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 1508, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PRICE LIST (NOVEMBER 2020).exe PID: 7024, type: MEMORY
                  Source: Yara matchFile source: 0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PRICE LIST (NOVEMBER 2020).exe.6835558.11.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Virtualization/Sandbox Evasion25Input Capture1Security Software Discovery331Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion25Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSApplication Window Discovery1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  PRICE LIST (NOVEMBER 2020).exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  PRICE LIST (NOVEMBER 2020).exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  8.2.PRICE LIST (NOVEMBER 2020).exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  coroloboxorozor.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://CMvIqY.com0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://coroloboxorozor.com0%Avira URL Cloudsafe
                  https://api.ipify.org%$0%Avira URL Cloudsafe
                  http://r3.i.lencr.org/050%Avira URL Cloudsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://L2JzF7P98hlnK.net0%Avira URL Cloudsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.html0%Avira URL Cloudsafe
                  http://mail.electrobelarmino.pt0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  coroloboxorozor.com
                  		104.21.71.230
                  		truefalseunknown
                  mail.electrobelarmino.pt
                  		109.71.43.243
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://L2JzF7P98hlnK.nettrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.htmlfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                        		high
                        http://127.0.0.1:HTTP/1.1PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://CMvIqY.comPRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://DynDns.comDynDNSPRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://cps.letsencrypt.org0PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                		high
                                http://coroloboxorozor.comPRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                    		high
                                    https://api.ipify.org%$PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                            		high
                                            http://r3.i.lencr.org/05PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://r3.o.lencr.org0PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org%GETMozilla/5.0PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		low
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                              		high
                                              http://mail.electrobelarmino.ptPRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.381179952.0000000002871000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.390219743.00000000051C0000.00000004.00000001.sdmpfalse
                                                		high
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPRICE LIST (NOVEMBER 2020).exe, 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://cps.root-x1.letsencrypt.org0PRICE LIST (NOVEMBER 2020).exe, 00000008.00000002.606198397.0000000002E7B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.21.71.230
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:356549
                                                Start date:23.02.2021
                                                Start time:09:57:18
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 9s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:PRICE LIST (NOVEMBER 2020).exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:30
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@9/4@2/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 0% (good quality ratio 0%)
                                                • Quality average: 0%
                                                • Quality standard deviation: 0%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • TCP Packets have been reduced to 100
                                                • Excluded IPs from analysis (whitelisted): 184.30.21.219, 204.79.197.200, 13.107.21.200, 51.104.139.180, 104.42.151.234, 92.122.145.220, 104.43.139.144, 13.88.21.125, 52.255.188.83, 2.20.142.209, 2.20.142.210, 51.103.5.186, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 104.43.193.48, 184.30.20.56, 51.11.168.160
                                                • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:58:49API Interceptor1x Sleep call for process: WerFault.exe modified
                                                09:58:49API Interceptor587x Sleep call for process: PRICE LIST (NOVEMBER 2020).exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.21.71.230A4-058000200390-10-14_REV_pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html
                                                Purchase_order_397484658464974945648447564845.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.html
                                                0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
                                                VIws8bzjD5.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
                                                quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/4FD4067B934700360B786D96F374CFDE.html
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/13F70A6846505248D031FD970E34143C.html
                                                PAYRECEIPT.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/FB9E1E734185F7528241A9972CE86875.html
                                                New Order.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/787C0D9D971EA648C79BB43D6A91B32D.html
                                                TT.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/67C230E277706E38533C2138734032C2.html
                                                Payment_pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/07E3F6F835A7792863F708E23906CE42.html
                                                TT.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/40B9FF72D3F4D8DF64BA5DD4E106BE04.html
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/AEF764C22A189B57AC28E3EBBC72AEBF.html
                                                telex transfer.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/EB6932098F110FB9EB9C8B27A1730610.html
                                                ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/20872932CF927ACBA3BF36E6C823C99C.html
                                                Doc_3975465846584657465846486435454,pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/92C7F4831C860C5A2BD3269A6771BC0C.html
                                                CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/38A59769F794F78901E2621810DAAA3A.html
                                                CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
                                                Download_quotation_PR #371073.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html
                                                CN-Invoice-XXXXX9808-19011143287990.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/84D1B49C9212CA5D522F0AF86A906727.html
                                                PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                                                • coroloboxorozor.com/base/532020C7A3B820370CFAAC4888397C0C.html

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                coroloboxorozor.comA4-058000200390-10-14_REV_pdf.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                Purchase_order_397484658464974945648447564845.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Payment_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                RG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                VIws8bzjD5.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                PAYMENTADVICENOTE103_SWIFTCOPY0909208.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                XP 6.xlsxGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                PAYRECEIPT.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                New Order.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                PO#87498746510.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                TT.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Payment_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                TT.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                telex transfer.exeGet hashmaliciousBrowse
                                                • 104.21.71.230

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                CLOUDFLARENETUSSecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                                                • 104.21.50.15
                                                A4-058000200390-10-14_REV_pdf.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                                                • 172.67.199.58
                                                SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                                                • 104.21.50.15
                                                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                                                • 104.21.50.15
                                                v2.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Purchase_order_397484658464974945648447564845.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Payment_pdf.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                8WjU4jrBIr.exeGet hashmaliciousBrowse
                                                • 104.23.98.190
                                                RG6ws8jWUJ.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                • 104.23.99.190
                                                lpdKSOB78u.exeGet hashmaliciousBrowse
                                                • 104.21.76.239
                                                VIws8bzjD5.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 104.21.19.200

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PRICE LIST (NOVE_2669e49e9dcb5c7f076336b8bf762a6b5e1646_915b61a4_1a53eef2\Report.wer
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):15584
                                                Entropy (8bit):3.7777374596954356
                                                Encrypted:false
                                                SSDEEP:96:MqMJbRQMvSklnLWMlHHxpLUpXINSm+BHUHZ0ownOgtYsH5Ef5BAKcp2OyPnr3sbh:34b1mPaKsUAeZiN/u7snS274Itk/
                                                MD5:6D2C097DF4D3059EC092A091C97A3831
                                                SHA1:82DC0B4978968722A56BD814F3A4CCFDBC5ABDBC
                                                SHA-256:789338BB58CA739D236920017EEB239D7693FE12B36A1C2ABF5872DC04CF5FA7
                                                SHA-512:3C811B676C510EEFA6F9D0282A301B0431552AE1469167B4EB719ECAEAD6B5BD0B8A1C79D6D34D5ED8A8B79FB2603C4EA050782392A32029AE808AA306F304C0
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.7.6.7.1.5.6.5.2.7.7.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.7.6.7.2.6.9.0.2.7.1.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.e.7.5.3.5.f.-.d.4.f.5.-.4.1.2.b.-.8.9.a.3.-.f.1.3.e.0.a.3.b.3.7.e.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.9.e.a.d.0.d.-.6.1.a.a.-.4.9.f.e.-.8.c.d.8.-.e.9.f.b.f.7.b.7.1.7.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.R.I.C.E. .L.I.S.T. .(.N.O.V.E.M.B.E.R. .2.0.2.0.)...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.0.-.0.0.0.1.-.0.0.1.7.-.5.0.7.2.-.7.1.7.2.0.d.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.9.9.e.7.3.3.8.a.6.f.1.7.8.c.a.5.7.0.7.4.3.e.9.5.7.3.a.5.0.c.f.0.0.0.0.0.9.0.4.!.0.0.0.0.0.e.c.f.3.1.5.e.5.a.7.2.a.3.c.9.d.d.d.3.8.6.d.1.1.1.6.d.2.2.6.5.8.7.7.b.4.0.2.7.!.P.R.I.C.E. .L.
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99A.tmp.dmp
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Feb 23 17:58:38 2021, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):194948
                                                Entropy (8bit):4.467474118310582
                                                Encrypted:false
                                                SSDEEP:3072:20KUCgUmhoiVwtjQ0sATjd+p7p92zfzNB9gIOgF57Cd:2fTjspV105MpVgB9RpD7W
                                                MD5:5A4D0CDF07AE72AC9AB0EB3F74AB08A5
                                                SHA1:E7BF0A16C1871642760E1288C3A1CAD3190AB907
                                                SHA-256:9DBF9E4F9CBBBE087D8E067B1FC56F9161FC6CEF3AE3EE145A31DDAB0C723084
                                                SHA-512:4380BD72D9B6C9632B32CC93F552740A0F493D3D054A29CF25658C2627593D693CB8C57A866E2CDCB1A0873D6151C199C456DE501DB7E8953B9BDE3B3E482B1E
                                                Malicious:false
                                                Reputation:low
                                                Preview: MDMP....... .......NB5`...................U...........B.......)......GenuineIntelW...........T.......p...2B5`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7A4.tmp.WERInternalMetadata.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8076
                                                Entropy (8bit):3.707798630191834
                                                Encrypted:false
                                                SSDEEP:192:Rrl7r3GLNiE46ym6YJASUO9WAgmfZ2SpCprw89bpxsfZjm:RrlsNiT6j6Y+SUO9JgmfESMpqfQ
                                                MD5:6AF5FDF92E90A0C83292F3C9D33FCC05
                                                SHA1:B9F910EF08C96184C3575D7B5D5D1720AA8A82B4
                                                SHA-256:1B82C513BEAB7C25CA1478BAEFBA5AB27DB831D78798BC83A3F889774030C1ED
                                                SHA-512:DCAB9849C6FD364E9F9C06F3DD3D7EC86C559AD983844813EC784C7F753BD4DF104331D5EDE0C73131F4FE9F0F6CE868F35969EAE58159EB68F8E76E88C16630
                                                Malicious:false
                                                Reputation:low
                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.4.<./.P.i.d.>.......
                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBCC.tmp.xml
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4768
                                                Entropy (8bit):4.536018555521011
                                                Encrypted:false
                                                SSDEEP:48:cvIwSD8zs/8JgtWI9B7hWSC8B38fm8M4JwulxFFL+q8v5xBUWGH91Lq189d:uITfS+MSNKJwGKyWGHLLyKd
                                                MD5:029B30A5F5B15B8ECB55D6067F686CC3
                                                SHA1:B77A0EC03763101D48BAA1D73F9F9CB555417C05
                                                SHA-256:A7A63DF05F192787C5408AADEFD4C98215256A235F3124C90289BBA4541089C4
                                                SHA-512:1F7FB135BDC6A00882E20BEEF95B43CED5F3559B78BC375B6C4C1C71C9E9F557D9043AC8A9A371512201F6AE88C9AFE51D7BF6595616EADECCCEFBCB39E44899
                                                Malicious:false
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874269" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.9085274554917975
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:PRICE LIST (NOVEMBER 2020).exe
                                                File size:32624
                                                MD5:404ef05a6acc67c2b59189171f9eb0fc
                                                SHA1:0ecf315e5a72a3c9ddd386d1116d2265877b4027
                                                SHA256:863d464bb43bda7378c611a5c16410a3c279ca72e447632f5e03f8418f5464d8
                                                SHA512:19ea2b67ef1661bcb5c2bb9640970ad8f3c734958853cd98045eb79b833d3b3bbfa0af59b1cf49e7175e9fa0d3dc3d4dfe75ce97fb6053b6f94d18510a296c0a
                                                SSDEEP:768:SxBXcbNpmqXnAfyjpX999Z99DfjAw4mTkrkEkeDhSa:SzuDp999Z99/d4mwIhE
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F...............0..`..........^~... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x407e5e
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x88460DE1 [Fri Jun 13 17:14:09 2042 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Authenticode Signature

                                                Signature Valid:false
                                                Signature Issuer:C=????????????????????????????????????????????????, S=&#229;&#135;&#143;&#229;&#135;&#152;&#229;&#135;&#151;&#229;&#134;&#185;&#229;&#135;&#133;&#229;&#135;&#147;&#229;&#135;&#156;&#229;&#134;&#172;&#229;&#135;&#155;&#229;&#134;&#163;&#229;&#134;&#170;&#229;&#134;&#185;&#229;&#135;&#143;&#229;&#134;&#168;&#229;&#134;&#175;&#229;&#134;&#164;&#229;&#135;&#138;&#229;&#134;&#178;&#229;&#134;&#179;&#229;&#135;&#149;&#229;&#134;&#170;&#229;&#134;&#179;, L=&#239;&#132;&#158;&#239;&#132;&#160;&#239;&#132;&#157;&#239;&#133;&#135;&#239;&#132;&#167;&#239;&#132;&#190;&#239;&#132;&#158;&#239;&#133;&#141;&#239;&#132;&#160;&#239;&#133;&#144;&#239;&#132;&#185;&#239;&#133;&#132;&#239;&#132;&#176;&#239;&#132;&#168;&#239;&#133;&#143;&#239;&#132;&#156;&#239;&#132;&#175;&#239;&#132;&#172;&#239;&#132;&#158;&#239;&#133;&#131;&#239;&#132;&#161;&#239;&#133;&#134;&#239;&#132;&#162;&#239;&#132;&#174;&#239;&#133;&#144;&#239;&#132;&#152;&#239;&#133;&#135;&#239;&#132;&#167;&#239;&#133;&#140;&#239;&#132;&#165;, T=&#239;&#190;&#163;&#239;&#189;&#176;&#239;&#190;&#146;&#239;&#190;&#142;&#239;&#189;&#175;&#239;&#189;&#181;&#239;&#190;&#153;&#239;&#189;&#188;&#239;&#189;&#182;&#239;&#190;&#156;&#239;&#189;&#175;&#239;&#190;&#158;&#239;&#189;&#184;&#239;&#190;&#152;&#239;&#190;&#153;&#239;&#190;&#141;, E=???????????????, OU=&#238;&#130;&#129;&#238;&#129;&#159;&#238;&#129;&#153;&#238;&#129;&#162;&#238;&#130;&#136;&#238;&#130;&#139;&#238;&#129;&#190;&#238;&#129;&#151;&#238;&#129;&#163;&#238;&#130;&#138;&#238;&#130;&#131;&#238;&#130;&#138;&#238;&#129;&#164;, O=&#227;&#138;&#161;&#227;&#138;&#155;&#227;&#138;&#144;&#227;&#138;&#149;&#227;&#137;&#182;&#227;&#138;&#155;&#227;&#137;&#184;&#227;&#137;&#171;&#227;&#138;&#139;&#227;&#137;&#180;&#227;&#137;&#179;&#227;&#137;&#187;&#227;&#137;&#168;&#227;&#137;&#174;&#227;&#137;&#168;&#227;&#138;&#158;&#227;&#137;&#181;&#227;&#137;&#168;&#227;&#138;&#139;&#227;&#137;&#184;&#227;&#137;&#173;&#227;&#138;&#137;&#227;&#137;&#182;&#227;&#138;&#136;, CN=&#230;&#158;&#138;&#230;&#158;&#142;&#230;&#159;&#128;&#230;&#158;&#156;&#230;&#158;&#180;&#230;&#158;&#175;&#230;&#158;&#154;&#230;&#158;&#141;&#230;&#158;&#137;&#230;&#158;&#169;&#230;&#158;&#144;&#230;&#158;&#150;&#230;&#158;&#170;&#230;&#158;&#156;&#230;&#158;&#182;&#230;&#158;&#188;&#230;&#158;&#173;&#230;&#158;&#143;&#230;&#158;&#169;&#230;&#158;&#152;&#230;&#158;&#168;&#230;&#158;&#156;&#230;&#158;&#174;&#230;&#158;&#171;&#230;&#158;&#149;&#230;&#158;&#148;
                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                Error Number:-2146762487
                                                Not Before, Not After
                                                • 2/22/2021 2:31:55 PM 2/22/2022 2:31:55 PM
                                                Subject Chain
                                                • C=????????????????????????????????????????????????, S=&#229;&#135;&#143;&#229;&#135;&#152;&#229;&#135;&#151;&#229;&#134;&#185;&#229;&#135;&#133;&#229;&#135;&#147;&#229;&#135;&#156;&#229;&#134;&#172;&#229;&#135;&#155;&#229;&#134;&#163;&#229;&#134;&#170;&#229;&#134;&#185;&#229;&#135;&#143;&#229;&#134;&#168;&#229;&#134;&#175;&#229;&#134;&#164;&#229;&#135;&#138;&#229;&#134;&#178;&#229;&#134;&#179;&#229;&#135;&#149;&#229;&#134;&#170;&#229;&#134;&#179;, L=&#239;&#132;&#158;&#239;&#132;&#160;&#239;&#132;&#157;&#239;&#133;&#135;&#239;&#132;&#167;&#239;&#132;&#190;&#239;&#132;&#158;&#239;&#133;&#141;&#239;&#132;&#160;&#239;&#133;&#144;&#239;&#132;&#185;&#239;&#133;&#132;&#239;&#132;&#176;&#239;&#132;&#168;&#239;&#133;&#143;&#239;&#132;&#156;&#239;&#132;&#175;&#239;&#132;&#172;&#239;&#132;&#158;&#239;&#133;&#131;&#239;&#132;&#161;&#239;&#133;&#134;&#239;&#132;&#162;&#239;&#132;&#174;&#239;&#133;&#144;&#239;&#132;&#152;&#239;&#133;&#135;&#239;&#132;&#167;&#239;&#133;&#140;&#239;&#132;&#165;, T=&#239;&#190;&#163;&#239;&#189;&#176;&#239;&#190;&#146;&#239;&#190;&#142;&#239;&#189;&#175;&#239;&#189;&#181;&#239;&#190;&#153;&#239;&#189;&#188;&#239;&#189;&#182;&#239;&#190;&#156;&#239;&#189;&#175;&#239;&#190;&#158;&#239;&#189;&#184;&#239;&#190;&#152;&#239;&#190;&#153;&#239;&#190;&#141;, E=???????????????, OU=&#238;&#130;&#129;&#238;&#129;&#159;&#238;&#129;&#153;&#238;&#129;&#162;&#238;&#130;&#136;&#238;&#130;&#139;&#238;&#129;&#190;&#238;&#129;&#151;&#238;&#129;&#163;&#238;&#130;&#138;&#238;&#130;&#131;&#238;&#130;&#138;&#238;&#129;&#164;, O=&#227;&#138;&#161;&#227;&#138;&#155;&#227;&#138;&#144;&#227;&#138;&#149;&#227;&#137;&#182;&#227;&#138;&#155;&#227;&#137;&#184;&#227;&#137;&#171;&#227;&#138;&#139;&#227;&#137;&#180;&#227;&#137;&#179;&#227;&#137;&#187;&#227;&#137;&#168;&#227;&#137;&#174;&#227;&#137;&#168;&#227;&#138;&#158;&#227;&#137;&#181;&#227;&#137;&#168;&#227;&#138;&#139;&#227;&#137;&#184;&#227;&#137;&#173;&#227;&#138;&#137;&#227;&#137;&#182;&#227;&#138;&#136;, CN=&#230;&#158;&#138;&#230;&#158;&#142;&#230;&#159;&#128;&#230;&#158;&#156;&#230;&#158;&#180;&#230;&#158;&#175;&#230;&#158;&#154;&#230;&#158;&#141;&#230;&#158;&#137;&#230;&#158;&#169;&#230;&#158;&#144;&#230;&#158;&#150;&#230;&#158;&#170;&#230;&#158;&#156;&#230;&#158;&#182;&#230;&#158;&#188;&#230;&#158;&#173;&#230;&#158;&#143;&#230;&#158;&#169;&#230;&#158;&#152;&#230;&#158;&#168;&#230;&#158;&#156;&#230;&#158;&#174;&#230;&#158;&#171;&#230;&#158;&#149;&#230;&#158;&#148;
                                                Version:3
                                                Thumbprint MD5:838681B16D3D15D936CB197B5FF933E2
                                                Thumbprint SHA-1:979E9C65EF22267B08E05993E729B4436ABFA30A
                                                Thumbprint SHA-256:296F5CC2F7998028F80027C03F4B399B538AC67666FEE8B7152E7336B0487D44
                                                Serial:00DFB81554F129BEF797D45ACC5896E37F

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7e0c0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x3e0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x68000x1770
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x5e640x6000False0.436645507812data6.84633802835IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x80000x3e00x400False0.4658203125data3.54455503901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0x80580x388dataEnglishUnited States

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                LegalCopyrightCopyright 2022 CjiuFAUH. All rights reserved.
                                                Assembly Version4.3.4.0
                                                InternalNameVHQefUyV.exe
                                                FileVersion3.8.6.3
                                                CompanyNameHDCkoRLh
                                                LegalTrademarksSEpyLMyT
                                                CommentsCATdaEvp
                                                ProductNameVHQefUyV
                                                ProductVersion4.3.4.0
                                                FileDescriptionMGLkYrQM
                                                OriginalFilenameVHQefUyV.exe
                                                Translation0x0409 0x0514

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 23, 2021 09:58:11.494297981 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.547615051 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.547838926 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.550564051 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.603761911 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669672012 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669734001 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669766903 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669791937 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669801950 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.669819117 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669826031 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.669847965 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669874907 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669888020 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.669902086 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669926882 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669944048 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.669956923 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.669997931 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.670891047 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.670923948 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.670980930 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.672159910 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.672192097 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.672246933 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.673362970 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.673414946 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.673477888 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.674609900 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.674638033 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.674705029 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.675905943 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.675949097 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.676017046 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.677136898 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.677169085 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.677289009 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.678376913 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.678405046 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.678478956 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.679609060 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.679640055 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.679706097 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.680885077 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.680913925 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.680984974 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.984569073 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.984612942 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.984811068 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.985053062 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.985089064 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.985156059 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.986356020 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.986390114 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.986485004 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.987576008 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.987611055 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.987687111 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.988841057 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.989346027 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.989381075 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.989449024 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.990560055 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.990596056 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.990648031 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.991805077 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.991847038 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.991899014 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.993078947 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.993128061 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.993184090 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.994373083 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.994409084 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.994478941 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.995537043 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.995569944 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.995615959 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.996773958 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.996829987 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.996861935 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.998059988 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.998090982 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.998147964 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:11.999277115 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.999306917 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:11.999372005 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:12.000523090 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.000562906 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.000610113 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:12.001801968 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.001831055 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.002104044 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:12.387046099 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.387093067 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.387192965 CET4971180192.168.2.6104.21.71.230
                                                Feb 23, 2021 09:58:12.387536049 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.403857946 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.403904915 CET8049711104.21.71.230192.168.2.6
                                                Feb 23, 2021 09:58:12.404278040 CET4971180192.168.2.6104.21.71.230

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 23, 2021 09:58:01.779805899 CET4928353192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:01.843063116 CET53492838.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:01.858932018 CET5837753192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:01.907627106 CET53583778.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:02.252226114 CET5507453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:02.300759077 CET53550748.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:02.514226913 CET5451353192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:02.562886000 CET53545138.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:05.151606083 CET6204453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:05.210381031 CET53620448.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:06.165865898 CET6379153192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:06.226519108 CET53637918.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:07.370243073 CET6426753192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:07.418992996 CET53642678.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:09.609307051 CET4944853192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:09.661053896 CET53494488.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:11.400343895 CET6034253192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:11.460376024 CET53603428.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:15.664323092 CET6134653192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:15.713074923 CET53613468.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:25.772893906 CET5177453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:25.821585894 CET53517748.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:26.719842911 CET5602353192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:26.768448114 CET53560238.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:27.863992929 CET5838453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:27.915503979 CET53583848.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:39.916248083 CET6026153192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:39.967736006 CET53602618.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:47.694259882 CET5606153192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:47.751365900 CET53560618.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:53.494467020 CET5833653192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:53.546283960 CET53583368.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:57.324836969 CET5378153192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:57.384803057 CET53537818.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:57.477883101 CET5406453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:57.535003901 CET53540648.8.8.8192.168.2.6
                                                Feb 23, 2021 09:58:59.350963116 CET5281153192.168.2.68.8.8.8
                                                Feb 23, 2021 09:58:59.400434017 CET53528118.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:09.894043922 CET5529953192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:09.956212044 CET53552998.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:10.642409086 CET6374553192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:10.691104889 CET53637458.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:11.503909111 CET5005553192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:11.563760996 CET53500558.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:12.038431883 CET6137453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:12.140125990 CET53613748.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:12.340500116 CET5033953192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:12.408098936 CET53503398.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:12.624511003 CET6330753192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:12.681485891 CET53633078.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:13.294652939 CET4969453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:13.346338034 CET53496948.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:13.992314100 CET5498253192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:14.049511909 CET53549828.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:14.972235918 CET5001053192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:15.021028996 CET53500108.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:15.320014000 CET6371853192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:15.378712893 CET53637188.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:16.450285912 CET6211653192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:16.507816076 CET53621168.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:16.974112034 CET6381653192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:17.031265974 CET53638168.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:26.311815023 CET5501453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:26.361990929 CET53550148.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:31.116597891 CET6220853192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:31.176487923 CET53622088.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:32.589982986 CET5757453192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:32.641614914 CET53575748.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:33.738806009 CET5181853192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:33.787566900 CET53518188.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:34.745445013 CET5662853192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:34.796977997 CET53566288.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:36.042706966 CET6077853192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:36.093416929 CET53607788.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:37.325345993 CET5379953192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:37.374044895 CET53537998.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:38.615228891 CET5468353192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:38.667155027 CET53546838.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:39.334280014 CET5932953192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:39.392852068 CET53593298.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:41.642321110 CET6402153192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:41.691236973 CET53640218.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:45.811018944 CET5612953192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:45.883150101 CET53561298.8.8.8192.168.2.6
                                                Feb 23, 2021 09:59:48.978224039 CET5817753192.168.2.68.8.8.8
                                                Feb 23, 2021 09:59:49.029850006 CET53581778.8.8.8192.168.2.6
                                                Feb 23, 2021 10:00:05.907835007 CET5070053192.168.2.68.8.8.8
                                                Feb 23, 2021 10:00:05.956501961 CET53507008.8.8.8192.168.2.6
                                                Feb 23, 2021 10:00:17.463215113 CET5406953192.168.2.68.8.8.8
                                                Feb 23, 2021 10:00:17.531023026 CET53540698.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Feb 23, 2021 09:58:11.400343895 CET192.168.2.68.8.8.80xcc4bStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                Feb 23, 2021 10:00:17.463215113 CET192.168.2.68.8.8.80x8f5dStandard query (0)mail.electrobelarmino.ptA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Feb 23, 2021 09:58:11.460376024 CET8.8.8.8192.168.2.60xcc4bNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                Feb 23, 2021 09:58:11.460376024 CET8.8.8.8192.168.2.60xcc4bNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                Feb 23, 2021 10:00:17.531023026 CET8.8.8.8192.168.2.60x8f5dNo error (0)mail.electrobelarmino.pt109.71.43.243A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • coroloboxorozor.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.649711104.21.71.23080C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 23, 2021 09:58:11.550564051 CET1090OUTGET /base/FBD1AA88F2DB3E5E79F7212492E97FE4.html HTTP/1.1
                                                Host: coroloboxorozor.com
                                                Connection: Keep-Alive
                                                Feb 23, 2021 09:58:11.669672012 CET1092INHTTP/1.1 200 OK
                                                Date: Tue, 23 Feb 2021 08:58:11 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: keep-alive
                                                Set-Cookie: __cfduid=d9f146432d691f502a99c6af0b59c5ad41614070691; expires=Thu, 25-Mar-21 08:58:11 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                Last-Modified: Mon, 22 Feb 2021 22:31:52 GMT
                                                Vary: Accept-Encoding
                                                X-Frame-Options: SAMEORIGIN
                                                CF-Cache-Status: DYNAMIC
                                                cf-request-id: 086fb54f0400004c91ce8ce000000001
                                                Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=bT5dh5XRbuDUZZ0Vs%2F6zo3dmicm5%2B%2BuvU76ejQkzUdOReaWiTUY8L%2F36nBo9SflV30a2je6zBp56jL8MAZLxqF7hoiknK4gJ1LQ3a6TjPhSRsU4y"}],"max_age":604800}
                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 625fbe5e680f4c91-AMS
                                                Data Raw: 37 63 39 33 0d 0a 3c 70 3e 48 48 52 4a 46 52 6b 6e 6e 52 46 52 57 52 46 52 46 52 46 52 6e 52 46 52 46 52 46 52 6d 67 67 52 6d 67 67 52 46 52 46 52 6b 72 6e 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 56 6e 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 6b 6d 72 52 46 52 46 52 46 52 6b 6e 52 57 6b 52 6b 72 56 52 6b 6e 52 46 52 6b 72 46 52 4a 52 6d 46 67 52 57 57 52 6b 72 6e 52 6b 52 48 56 52 6d 46 67 52 57 57 52 72 6e 52 6b 46 6e 52 6b 46 67 52 6b 6b 67 52 57 6d 52 6b 6b 6d 52 6b 6b 6e 52 6b 6b 6b 52 6b 46 57 52 6b 6b 6e 52 4a 48 52 6b 46 4a 52 57 6d 52 4a 4a 52 4a 48 52 6b 6b 46 52 6b 6b 46 52 6b 6b 6b 52 6b 6b 56 52 57 6d 52 4a 72 52 6b 46 6b 52 57 6d 52 6b 6b 6e 52 6b 6b 48 52 6b 6b 46 52 57 6d 52 6b 46 67 52 6b 6b 46 52 57 6d 52 56 72 52 48 4a 52 72 57 52 57 6d 52 6b 46 4a 52 6b 6b 6b 52 6b 46 46 52 6b 46 6b 52 6e 56 52 6b 57 52 6b 57 52 6b 46 52 57 56 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 72 46 52 56 4a 52 46 52 46 52 48 56 52 6b 52 57 52 46 52 48 56 52 6b 6e 6d 52 6e 6b 52 6b 72 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 6d 6d 6e 52 46 52 57 6e 52 46 52 6b 6b 52 6b 52 72 46 52 46 52 46 52 4a 72 52 6e 52 46 52 46 52 56 52 46 52 46 52 46 52 46 52 46 52 46 52 6d 46 56 52 6b 6d 4a 52 6e 52 46 52 46 52 57 6d 52 46 52 46 52 46 52 6b 56 46 52 6e 52 46 52 46 52 46 52 46 52 6b 6d 72 52 46 52 57 6d 52 46 52 46 52 46 52 6d 52 46 52 46 52 6e 52 46 52 46 52 46 52 46 52 46 52 46 52 46 52 6e 52 46 52 46 52 46 52 46
                                                Data Ascii: 7c93<p>HHRJFRknnRFRWRFRFRFRnRFRFRFRmggRmggRFRFRkrnRFRFRFRFRFRFRFRVnRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRFRkmrRFRFRFRknRWkRkrVRknRFRkrFRJRmFgRWWRkrnRkRHVRmFgRWWRrnRkFnRkFgRkkgRWmRkkmRkknRkkkRkFWRkknRJHRkFJRWmRJJRJHRkkFRkkFRkkkRkkVRWmRJrRkFkRWmRkknRkkHRkkFRWmRkFgRkkFRWmRVrRHJRrWRWmRkFJRkkkRkFFRkFkRnVRkWRkWRkFRWVRFRFRFRFRFRFRFRrFRVJRFRFRHVRkRWRFRHVRknmRnkRkrFRFRFRFRFRFRFRFRFRmmnRFRWnRFRkkRkRrFRFRFRJrRnRFRFRVRFRFRFRFRFRFRmFVRkmJRnRFRFRWmRFRFRFRkVFRnRFRFRFRFRkmrRFRWmRFRFRFRmRFRFRnRFRFRFRFRFRFRFRnRFRFRFRF


                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: PRICE LIST (NOVEMBER 2020).exe PID: 7024 Parent PID: 5892

                                                General

                                                Start time:09:58:10
                                                Start date:23/02/2021
                                                Path:C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe'
                                                Imagebase:0x4e0000
                                                File size:32624 bytes
                                                MD5 hash:404EF05A6ACC67C2B59189171F9EB0FC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.408840217.0000000007761000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.407424044.0000000006835000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Analysis Process: cmd.exe PID: 5932 Parent PID: 7024

                                                General

                                                Start time:09:58:28
                                                Start date:23/02/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                Imagebase:0x2a0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 4540 Parent PID: 5932

                                                General

                                                Start time:09:58:29
                                                Start date:23/02/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: timeout.exe PID: 4852 Parent PID: 5932

                                                General

                                                Start time:09:58:29
                                                Start date:23/02/2021
                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                Wow64 process (32bit):true
                                                Commandline:timeout 1
                                                Imagebase:0x280000
                                                File size:26112 bytes
                                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: PRICE LIST (NOVEMBER 2020).exe PID: 1508 Parent PID: 7024

                                                General

                                                Start time:09:58:31
                                                Start date:23/02/2021
                                                Path:C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\PRICE LIST (NOVEMBER 2020).exe
                                                Imagebase:0x840000
                                                File size:32624 bytes
                                                MD5 hash:404EF05A6ACC67C2B59189171F9EB0FC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.601396712.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.604780526.0000000002B11000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Analysis Process: WerFault.exe PID: 6704 Parent PID: 7024

                                                General

                                                Start time:09:58:33
                                                Start date:23/02/2021
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1592
                                                Imagebase:0xcc0000
                                                File size:434592 bytes
                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >