{"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"}
Source: Process started | Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' , ParentImage: C:\Users\user\Desktop\Request For Quotation_pdf.exe, ParentProcessId: 6644, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp', ProcessId: 6852 |
Source: Request For Quotation_pdf.exe.6644.0.memstr | Malware Configuration Extractor: Agenttesla {"Username: ": "kBDUWu4tdzmw4m", "URL: ": "https://70m3WJPOC5dv7ww.org", "To: ": "diamondraylog@yandex.ru", "ByHost: ": "smtp.yandex.ru:587", "Password: ": "RQslMXh", "From: ": "diamondraylog@yandex.ru"} |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://crl.certum.pl/ca.crl0h |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://crl.certum.pl/ctnca.crl0k |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0- |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | String found in binary or memory: http://mPTCSt.com |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://repository.certum.pl/ca.cer09 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://repository.certum.pl/ctnca.cer09 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://repository.certum.pl/ycasha2.cer0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://subca.ocsp-certum.com0. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://subca.ocsp-certum.com01 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://www.certum.pl/CPS0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: http://yandex.ocsp-responder.com03 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606237650.0000000002D12000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606128052.0000000002CE0000.00000004.00000001.sdmp, Request For Quotation_pdf.exe, 00000000.00000002.606399641.0000000002D44000.00000004.00000001.sdmp | String found in binary or memory: https://70m3WJPOC5dv7ww.org |
Source: Request For Quotation_pdf.exe, 00000000.00000002.606262254.0000000002D18000.00000004.00000001.sdmp | String found in binary or memory: https://www.certum.pl/CPS0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B48BF0 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B42718 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B45350 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B4A0B8 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B4B4E8 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B44448 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B45FB0 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_00B4A7E8 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_028DC62C |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_028DE890 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Code function: 0_2_028DE8A0 |
Source: Request For Quotation_pdf.exe, 00000000.00000002.607460880.0000000003A7F000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamePositiveSign.dll< vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamexjKPyntUGvaYvfCkJdXbGEvM.exe4 vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSoapName.dll2 vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610086375.0000000006210000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.602119236.000000000064E000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603371760.0000000000D98000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610290393.0000000006310000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Request For Quotation_pdf.exe |
Source: Request For Quotation_pdf.exe | Binary or memory string: OriginalFilenameCompletionActionInvoker.exe@ vs Request For Quotation_pdf.exe |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: unknown | Process created: C:\Users\user\Desktop\Request For Quotation_pdf.exe 'C:\Users\user\Desktop\Request For Quotation_pdf.exe' |
Source: unknown | Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' |
Source: unknown | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FLahHLuGzK' /XML 'C:\Users\user\AppData\Local\Temp\tmp91A5.tmp' |
Source: Request For Quotation_pdf.exe, LoaderInformation.cs | .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: FLahHLuGzK.exe.0.dr, LoaderInformation.cs | .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs | .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.Request For Quotation_pdf.exe.540000.0.unpack, LoaderInformation.cs | .Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6648 | Thread sleep time: -52043s >= -30000s |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972 | Thread sleep time: -15679732462653109s >= -30000s |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976 | Thread sleep count: 3490 > 30 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6976 | Thread sleep count: 6311 > 30 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe TID: 6972 | Thread sleep count: 42 > 30 |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603618561.0000000000E88000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Request For Quotation_pdf.exe, 00000000.00000002.604230367.0000000002A21000.00000004.00000001.sdmp | Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools |
Source: Request For Quotation_pdf.exe, 00000000.00000002.610533650.0000000006610000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: Request For Quotation_pdf.exe, 00000000.00000002.603715746.00000000013E0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Users\user\Desktop\Request For Quotation_pdf.exe VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: Yara match | File source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY |
Source: Yara match | File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies |
Source: C:\Users\user\Desktop\Request For Quotation_pdf.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Source: Yara match | File source: 00000000.00000002.608313718.0000000003D76000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.610458939.00000000064C0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Request For Quotation_pdf.exe PID: 6644, type: MEMORY |
Source: Yara match | File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Request For Quotation_pdf.exe.64c0000.7.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.