Source: Request For Quotation_pdf.exe.6644.0.memstr |
Malware Configuration Extractor: Agenttesla {"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"} |
Source: C:\Users\user\AppData\Roaming\FLahHLuGzK.exe |
ReversingLabs: Detection: 26% |
Source: Request For Quotation_pdf.exe |
ReversingLabs: Detection: 26% |
Source: Request For Quotation_pdf.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: Request For Quotation_pdf.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor |
URLs: https://70m3WJPOC5dv7ww.org |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.certum.pl/ca.crl0h |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.certum.pl/ctnca.crl0k |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0- |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
String found in binary or memory: http://mPTCSt.com |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://repository.certum.pl/ca.cer09 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://repository.certum.pl/ctnca.cer09 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://repository.certum.pl/ycasha2.cer0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://subca.ocsp-certum.com0. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://subca.ocsp-certum.com01 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://www.certum.pl/CPS0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: http://yandex.ocsp-responder.com03 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606237650.0000000002D12000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606128052.0000000002CE0000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606399641.0000000002D44000.00000004.00000001.sdmp |
String found in binary or memory: https://70m3WJPOC5dv7ww.org |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp |
String found in binary or memory: https://www.certum.pl/CPS0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: initial sample |
Static PE information: Filename: Request For Quotation_pdf.exe |
Source: initial sample |
Static PE information: Filename: Request For Quotation_pdf.exe |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B48BF0 |
0_2_00B48BF0 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B42718 |
0_2_00B42718 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B45350 |
0_2_00B45350 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B4A0B8 |
0_2_00B4A0B8 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B4B4E8 |
0_2_00B4B4E8 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B44448 |
0_2_00B44448 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B45FB0 |
0_2_00B45FB0 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B4A7E8 |
0_2_00B4A7E8 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_028DC62C |
0_2_028DC62C |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_028DE890 |
0_2_028DE890 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_028DE8A0 |
0_2_028DE8A0 |
Source: Request For Quotation_pdf.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: FLahHLuGzK.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Request For Quotation_pdf.exe, 00000000.00000002.607460880.0000000003A7F000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamePositiveSign.dll< vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamexjKPyntUGvaYvfCkJdXbGEvM.exe4 vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameSoapName.dll2 vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610086375.0000000006210000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.602119236.000000000064E000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe |
Binary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@4/4@1/1 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Mutant created: \Sessions\1\BaseNamedObjects\wAUTKAiLyvsCebSuWgxOX |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01 |
Source: Request For Quotation_pdf.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: Request For Quotation_pdf.exe |
ReversingLabs: Detection: 26% |
Source: unknown |
Process created: C:\Users\user\Desktop\Request For Quotation_pdf.exe 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' |
Jump to behavior |
Source: Request For Quotation_pdf.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Request For Quotation_pdf.exe |
Static file information: File size 1206272 > 1048576 |
Source: Request For Quotation_pdf.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Request For Quotation_pdf.exe, LoaderInformation.cs |
.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: FLahHLuGzK.exe.0.dr, LoaderInformation.cs |
.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs |
.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs |
.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B458F2 pushad ; ret |
0_2_00B458F9 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Code function: 0_2_00B459A0 pushfd ; ret |
0_2_00B459E9 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.29828241423 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.29828241423 |
Source: unknown |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6648 |
Thread sleep time: -52043s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972 |
Thread sleep time: -15679732462653109s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976 |
Thread sleep count: 3490 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976 |
Thread sleep count: 6311 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972 |
Thread sleep count: 42 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: vmware |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603618561.0000000000E88000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp |
Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Users\user\Desktop\Request For Quotation_pdf.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY |
Source: Yara match |
File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY |
Source: Yara match |
File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE |