{"Version": "1.2.2.0", "Mutex": "7d9d1b37-9225-4679-a6f4-60db74de", "Group": "TBOSS1", "Domain1": "194.5.98.19", "Domain2": "tboss1.ddns.net", "Port": 53795, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 20.190.160.8 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: unknown | TCP traffic detected without corresponding DNS query: 194.5.98.19 |
Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_018199D8 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03264918 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_032641D0 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_032660CD |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03267717 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03264FD0 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03263E28 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03265E78 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03265A61 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03265A70 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03266134 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03264908 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_032641C2 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03260006 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03267843 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03260040 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03264FC0 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03263E18 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03265E68 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_03263C50 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_0588DAB0 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_0588B760 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Code function: 0_2_0588B770 |
Source: QuotationOrder.pdf.exe, 00000000.00000002.247694872.000000000C1E0000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs QuotationOrder.pdf.exe |
Source: QuotationOrder.pdf.exe, 00000000.00000003.233367638.0000000001642000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameWaitHandle.exeP vs QuotationOrder.pdf.exe |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameDSASignature.dll@ vs QuotationOrder.pdf.exe |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243492551.00000000033B1000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSimpleUI.dll( vs QuotationOrder.pdf.exe |
Source: QuotationOrder.pdf.exe, 00000000.00000002.247916879.000000000C2E0000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs QuotationOrder.pdf.exe |
Source: QuotationOrder.pdf.exe, 00000000.00000002.247916879.000000000C2E0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs QuotationOrder.pdf.exe |
Source: QuotationOrder.pdf.exe | Binary or memory string: OriginalFilenameWaitHandle.exeP vs QuotationOrder.pdf.exe |
Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: Select * from Clientes WHERE id=@id;; |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: Select * from SecurityLogonType WHERE id=@id; |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo; |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade); |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone); |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor); |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo) |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Process information set: NOOPENFILEERRORBOX |
Source: MSBuild.exe, 00000003.00000003.290304771.0000000001437000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3cP |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath " |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Queries volume information: C:\Users\user\Desktop\QuotationOrder.pdf.exe VolumeInformation |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |