Analysis Report Request For Quotation_pdf.scr
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
Threatname: Agenttesla |
---|
{"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 2 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Scheduled temp file as task from temp location | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | TCP traffic: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Binary or memory string: |
Source: | Window created: | Jump to behavior |
System Summary: |
---|
Initial sample is a PE file and has a suspicious name | Show sources |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_00B48BF0 | |
Source: | Code function: | 0_2_00B42718 | |
Source: | Code function: | 0_2_00B45350 | |
Source: | Code function: | 0_2_00B4A0B8 | |
Source: | Code function: | 0_2_00B4B4E8 | |
Source: | Code function: | 0_2_00B44448 | |
Source: | Code function: | 0_2_00B45FB0 | |
Source: | Code function: | 0_2_00B4A7E8 | |
Source: | Code function: | 0_2_028DC62C | |
Source: | Code function: | 0_2_028DE890 | |
Source: | Code function: | 0_2_028DE8A0 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Section loaded: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Data Obfuscation: |
---|
.NET source code contains potential unpacker | Show sources |
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
Source: | Code function: | 0_2_00B458F9 | |
Source: | Code function: | 0_2_00B459E9 |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Yara detected AntiVM_3 | Show sources |
Source: | File source: | ||
Source: | File source: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) | Show sources |
Source: | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | File opened / queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Tries to harvest and steal browser information (history, passwords, etc) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to harvest and steal ftp login credentials | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Tries to steal Mail credentials (via file access) | Show sources |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected AgentTesla | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation211 | Scheduled Task/Job1 | Process Injection12 | Disable or Modify Tools1 | OS Credential Dumping2 | File and Directory Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job1 | Boot or Logon Initialization Scripts | Scheduled Task/Job1 | Obfuscated Files or Information2 | Input Capture1 | System Information Discovery113 | Remote Desktop Protocol | Data from Local System2 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Software Packing11 | Security Account Manager | Query Registry1 | SMB/Windows Admin Shares | Email Collection1 | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Masquerading1 | NTDS | Security Software Discovery321 | Distributed Component Object Model | Input Capture1 | Scheduled Transfer | Application Layer Protocol111 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Virtualization/Sandbox Evasion14 | LSA Secrets | Virtualization/Sandbox Evasion14 | SSH | Clipboard Data1 | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection12 | Cached Domain Credentials | Process Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Application Window Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | Remote System Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Win32.Trojan.Pwsx | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Joe Sandbox ML | |||
26% | ReversingLabs | Win32.Trojan.Pwsx |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
smtp.yandex.ru | 77.88.21.158 | true | false | high |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
77.88.21.158 | unknown | Russian Federation | 13238 | YANDEXRU | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 339373 |
Start date: | 13.01.2021 |
Start time: | 21:51:41 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Request For Quotation_pdf.scr (renamed file extension from scr to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 31 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.spyw.evad.winEXE@4/4@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
21:52:41 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
77.88.21.158 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
smtp.yandex.ru | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
YANDEXRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1643 |
Entropy (8bit): | 5.193980191585194 |
Encrypted: | false |
SSDEEP: | 24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBntn:cbh47TlNQ//rydbz9I3YODOLNdq3n |
MD5: | C27284C9952E79A82CEE03B348A03192 |
SHA1: | 96E60BEA3998F19646082C48AB3FB0AAAAB4AEB6 |
SHA-256: | 621CC8F055B4E0294DB250611782A694C2EA00AED46F3BD23CABE04A8231EB12 |
SHA-512: | 13F16F1AEF62D2ECFD3C15EEB167875351FC30CA35C503839998444E37CDBE767FFD2A2C5814EAF06F52F7C4E48377517E2BB4DAFEE11C389B81040EF283ED51 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1206272 |
Entropy (8bit): | 6.475210120171716 |
Encrypted: | false |
SSDEEP: | 12288:Tk3i7spOXX0muTKVzRaLrXOa/lcCgTZX8naDUf+h6a9Env:p+OeSaH+atcCKZIzP |
MD5: | A9125D57B0D4162E7DA34D6B8C10836F |
SHA1: | 56BCB534ABE3E5111B07B4F502B647FB5584B905 |
SHA-256: | 4F84F23B927E4A2F6F64D0C824777C1E0EDB05F8F83A662EF59617793582CFB6 |
SHA-512: | 430731A8792D27FAC18BE517BB200A514CC8B7D72E90D0BDFCD630BA85600C46633F13B3499EEA0993573122C07DD5015FC2318B7E13DBED9495222822D6930D |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Users\user\Desktop\Request For Quotation_pdf.exe |
File Type: | |
Category: | modified |
Size (bytes): | 20480 |
Entropy (8bit): | 0.6970840431455908 |
Encrypted: | false |
SSDEEP: | 24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0 |
MD5: | 00681D89EDDB6AD25E6F4BD2E66C61C6 |
SHA1: | 14B2FBFB460816155190377BBC66AB5D2A15F7AB |
SHA-256: | 8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85 |
SHA-512: | 159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.475210120171716 |
TrID: |
|
File name: | Request For Quotation_pdf.exe |
File size: | 1206272 |
MD5: | a9125d57b0d4162e7da34d6b8c10836f |
SHA1: | 56bcb534abe3e5111b07b4f502b647fb5584b905 |
SHA256: | 4f84f23b927e4a2f6f64d0c824777c1e0edb05f8f83a662ef59617793582cfb6 |
SHA512: | 430731a8792d27fac18be517bb200a514cc8b7d72e90d0bdfcd630ba85600c46633f13b3499eea0993573122c07dd5015fc2318b7e13dbed9495222822d6930d |
SSDEEP: | 12288:Tk3i7spOXX0muTKVzRaLrXOa/lcCgTZX8naDUf+h6a9Env:p+OeSaH+atcCKZIzP |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.................. ........@.. ....................................@................................ |
File Icon |
---|
Icon Hash: | 3cfcc4dcfcdcf4c4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4cd5f6 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5FFEC78E [Wed Jan 13 10:12:30 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | v4.0.30319 |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Entrypoint Preview |
---|
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xcd5a4 | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xce000 | 0x5ad04 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x12a000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xcb5fc | 0xcb600 | False | 0.694828720421 | data | 7.29828241423 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rsrc | 0xce000 | 0x5ad04 | 0x5ae00 | False | 0.031467610901 | data | 2.76557267543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x12a000 | 0xc | 0x200 | False | 0.044921875 | data | 0.0980041756627 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xce220 | 0x42028 | dBase III DBT, version number 0, next free block index 40 | ||
RT_ICON | 0x110248 | 0x468 | GLS_BINARY_LSB_FIRST | ||
RT_ICON | 0x1106b0 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x112c58 | 0x10a8 | dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 | ||
RT_ICON | 0x113d00 | 0x10828 | dBase III DBT, version number 0, next free block index 40 | ||
RT_ICON | 0x124528 | 0x4228 | dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 | ||
RT_GROUP_ICON | 0x128750 | 0x5a | data | ||
RT_VERSION | 0x1287ac | 0x36c | data | ||
RT_MANIFEST | 0x128b18 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
Imports |
---|
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0000 0x04b0 |
LegalCopyright | Copyright 2011 |
Assembly Version | 1.0.0.0 |
InternalName | CompletionActionInvoker.exe |
FileVersion | 1.0.0.0 |
CompanyName | |
LegalTrademarks | |
Comments | |
ProductName | FileReplacement |
ProductVersion | 1.0.0.0 |
FileDescription | FileReplacement |
OriginalFilename | CompletionActionInvoker.exe |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 13, 2021 21:54:16.140419960 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.234174013 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.234333992 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.429976940 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.430802107 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.524565935 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.524590015 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.525309086 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.618880033 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.666510105 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.681868076 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.776935101 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.776972055 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.776998043 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.777019024 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.777072906 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.777156115 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.825010061 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.918986082 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:16.963412046 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:16.980113029 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.074919939 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.077862978 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.171621084 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.173211098 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.283544064 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.285033941 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.386183977 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.386729002 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.488045931 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.489068985 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.582864046 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.586572886 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.587012053 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.587766886 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.588051081 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:17.680660963 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:17.681606054 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.115304947 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.166568041 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:18.556735039 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:18.650461912 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.650487900 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.650566101 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:18.663522005 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:18.664649963 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:18.757010937 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.757086992 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.757102966 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:18.922470093 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:18.922744036 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.015113115 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.015132904 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.015640020 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.108129978 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.108654976 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.202399015 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.202441931 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.202467918 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.202488899 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.202560902 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.202694893 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.206944942 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.299706936 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.303919077 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.397281885 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.397789955 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.491343975 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.492532015 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.603725910 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.604460955 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.704807997 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.705328941 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.805012941 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.809865952 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.903364897 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.904927969 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905071974 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905189991 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905313969 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905492067 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905590057 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905677080 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.905762911 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
Jan 13, 2021 21:54:19.998595953 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:19.999022961 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:20.039907932 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:20.391532898 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 |
Jan 13, 2021 21:54:20.432727098 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 13, 2021 21:52:30.341128111 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:30.391957998 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:31.117417097 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:31.165441036 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:31.888267994 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:31.947860003 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:33.057636976 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:33.121685028 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:33.902951002 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:33.950781107 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:34.803869009 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:34.851890087 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:35.712589025 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:35.760587931 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:36.822915077 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:36.870805025 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:37.964888096 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:38.012837887 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:39.130528927 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:39.178371906 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:40.316240072 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:40.367026091 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:52:58.632570028 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:52:58.690195084 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:00.592031002 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:00.639974117 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:05.732527971 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:05.790543079 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:19.036228895 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:19.094764948 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:20.094482899 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:20.161669970 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:20.266303062 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:20.278212070 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:20.326759100 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:20.344448090 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:53:23.654299974 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:53:23.710993052 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:54:03.916651964 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:54:03.964550018 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:54:04.368026972 CET | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:54:04.432178974 CET | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:54:16.062416077 CET | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:54:16.118700027 CET | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:54:24.146873951 CET | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:54:24.194705963 CET | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:17.542475939 CET | 61946 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:17.601933002 CET | 53 | 61946 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:18.298346043 CET | 64910 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:18.354852915 CET | 53 | 64910 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:19.150937080 CET | 52123 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:19.201879025 CET | 53 | 52123 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:20.081162930 CET | 56130 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:20.145354033 CET | 53 | 56130 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:23.096648932 CET | 56338 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:23.156980991 CET | 53 | 56338 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:26.835577965 CET | 59420 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:26.891942024 CET | 53 | 59420 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:27.761446953 CET | 58784 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:27.817890882 CET | 53 | 58784 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:28.943160057 CET | 63978 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:28.999450922 CET | 53 | 63978 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:30.158791065 CET | 62938 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:30.209395885 CET | 53 | 62938 | 8.8.8.8 | 192.168.2.3 |
Jan 13, 2021 21:55:30.678241968 CET | 55708 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 13, 2021 21:55:30.734525919 CET | 53 | 55708 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 13, 2021 21:54:16.062416077 CET | 192.168.2.3 | 8.8.8.8 | 0xc0c8 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 13, 2021 21:54:16.118700027 CET | 8.8.8.8 | 192.168.2.3 | 0xc0c8 | No error (0) | 77.88.21.158 | A (IP address) | IN (0x0001) |
SMTP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Jan 13, 2021 21:54:16.429976940 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 | 220 vla1-0125c0e65a03.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) |
Jan 13, 2021 21:54:16.430802107 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 | EHLO 571345 |
Jan 13, 2021 21:54:16.524590015 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 | 250-vla1-0125c0e65a03.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 42991616 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES |
Jan 13, 2021 21:54:16.525309086 CET | 49747 | 587 | 192.168.2.3 | 77.88.21.158 | STARTTLS |
Jan 13, 2021 21:54:16.618880033 CET | 587 | 49747 | 77.88.21.158 | 192.168.2.3 | 220 Go ahead |
Jan 13, 2021 21:54:18.922470093 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 | 220 vla3-3dd1bd6927b2.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) |
Jan 13, 2021 21:54:18.922744036 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 | EHLO 571345 |
Jan 13, 2021 21:54:19.015132904 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 | 250-vla3-3dd1bd6927b2.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 42991616 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES |
Jan 13, 2021 21:54:19.015640020 CET | 49748 | 587 | 192.168.2.3 | 77.88.21.158 | STARTTLS |
Jan 13, 2021 21:54:19.108129978 CET | 587 | 49748 | 77.88.21.158 | 192.168.2.3 | 220 Go ahead |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 21:52:35 |
Start date: | 13/01/2021 |
Path: | C:\Users\user\Desktop\Request For Quotation_pdf.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x540000 |
File size: | 1206272 bytes |
MD5 hash: | A9125D57B0D4162E7DA34D6B8C10836F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Yara matches: |
|
Reputation: | low |
General |
---|
Start time: | 21:52:43 |
Start date: | 13/01/2021 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x11a0000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:52:43 |
Start date: | 13/01/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Function 00B48BF0, Relevance: .8, Instructions: 824COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B42718, Relevance: .5, Instructions: 497COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B45350, Relevance: .4, Instructions: 432COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 028D97F0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 028DBD10, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 028D99D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
APIs |
|
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Function 00B4B4E8, Relevance: 1.6, Instructions: 1639COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4A7E8, Relevance: .8, Instructions: 845COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B4A0B8, Relevance: .5, Instructions: 512COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B44448, Relevance: .5, Instructions: 460COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 028DE8A0, Relevance: .3, Instructions: 315COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 00B45FB0, Relevance: .3, Instructions: 271COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 028DC62C, Relevance: .3, Instructions: 265COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 028DE890, Relevance: .2, Instructions: 226COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |