Loading ...

Play interactive tourEdit tour

Analysis Report Request for Price Quotation.pdf.exe

Overview

General Information

Sample Name:Request for Price Quotation.pdf.exe
Analysis ID:432812
MD5:04ff13eb3759dbe4112b49738e9f5aee
SHA1:460aa3f718ed5ce4c5d52a28fa2f275ebf076d30
SHA256:836509e2435bbae2e7d695ff94a760a0aa3e3a362edd3e2f37e907bba48f6b72
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Request for Price Quotation.pdf.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\Request for Price Quotation.pdf.exe' MD5: 04FF13EB3759DBE4112B49738E9F5AEE)
    • schtasks.exe (PID: 6672 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD822.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • pGKuRU.exe (PID: 6744 cmdline: 'C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe' MD5: 04FF13EB3759DBE4112B49738E9F5AEE)
    • schtasks.exe (PID: 6388 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD30D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • pGKuRU.exe (PID: 808 cmdline: {path} MD5: 04FF13EB3759DBE4112B49738E9F5AEE)
  • pGKuRU.exe (PID: 5644 cmdline: 'C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe' MD5: 04FF13EB3759DBE4112B49738E9F5AEE)
    • schtasks.exe (PID: 6688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpF0F5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • pGKuRU.exe (PID: 6276 cmdline: {path} MD5: 04FF13EB3759DBE4112B49738E9F5AEE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "mhd.nazri@vistakencana.com.mym33R3bus!mail.vistakencana.com.my"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000000.429160919.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000021.00000000.429160919.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000012.00000002.473375885.00000000032D1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.473375885.00000000032D1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000025.00000000.445224986.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 33 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            33.0.pGKuRU.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              33.0.pGKuRU.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                37.2.pGKuRU.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  37.2.pGKuRU.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    33.2.pGKuRU.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe, NewProcessName: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Request for Price Quotation.pdf.exe' , ParentImage: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe, ParentProcessId: 6496, ProcessCommandLine: {path}, ProcessId: 6472

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000012.00000002.473375885.00000000032D1000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "mhd.nazri@vistakencana.com.mym33R3bus!mail.vistakencana.com.my"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\AppData\Roaming\vRURxcnYJm.exeReversingLabs: Detection: 21%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Request for Price Quotation.pdf.exeReversingLabs: Detection: 21%
                      Source: 33.0.pGKuRU.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.2.pGKuRU.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 33.2.pGKuRU.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 37.0.pGKuRU.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.Request for Price Quotation.pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.Request for Price Quotation.pdf.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: Request for Price Quotation.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Request for Price Quotation.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: Request for Price Quotation.pdf.exe, 00000001.00000002.301723615.0000000006930000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.435175637.0000000006D50000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.451550450.0000000006CA0000.00000002.00000001.sdmp
                      Source: Request for Price Quotation.pdf.exe, 00000012.00000002.473375885.00000000032D1000.00000004.00000001.sdmp, pGKuRU.exe, 00000021.00000002.447853207.00000000035A1000.00000004.00000001.sdmp, pGKuRU.exe, 00000025.00000002.473835627.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: pGKuRU.exe, 00000025.00000002.473835627.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: pGKuRU.exe, 00000025.00000002.473835627.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://lgGOBE.com
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.205550305.0000000005090000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.210317209.000000000508D000.00000004.00000001.sdmp, Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.292449495.0000000005080000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.292449495.0000000005080000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203281814.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com;
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203308968.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203281814.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.204968127.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.204968127.0000000005084000.00000004.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.204952436.00000000050BD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.204968127.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnS
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp///
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/NegrW
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fet
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.206601961.0000000005084000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uche.
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203330941.00000000050A4000.00000004.00000001.sdmp, Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203281814.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-do
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203281814.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.204521592.0000000005086000.00000004.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.204521592.0000000005086000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
                      Source: pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203564065.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000003.203537866.000000000509B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.298842775.00000000051F0000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.433918370.0000000005C40000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.450841292.0000000005BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.303244062.000000000BED1000.00000004.00000001.sdmp, Request for Price Quotation.pdf.exe, 00000012.00000000.291844857.0000000000402000.00000040.00000001.sdmp, pGKuRU.exe, 00000018.00000002.431644231.00000000046D1000.00000004.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.447980592.0000000004561000.00000004.00000001.sdmp, pGKuRU.exe, 00000021.00000000.429160919.0000000000402000.00000040.00000001.sdmp, pGKuRU.exe, 00000025.00000000.445224986.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: pGKuRU.exe, 00000025.00000002.473835627.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 18.2.Request for Price Quotation.pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b5BC708AEu002dEE51u002d4E9Eu002d8C5Au002d29C17F478EFEu007d/u003446AB6DCu002dB12Au002d4788u002d854Eu002d45AA3F287DBE.csLarge array initialization: .cctor: array initializer size 11916
                      Source: 18.0.Request for Price Quotation.pdf.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b5BC708AEu002dEE51u002d4E9Eu002d8C5Au002d29C17F478EFEu007d/u003446AB6DCu002dB12Au002d4788u002d854Eu002d45AA3F287DBE.csLarge array initialization: .cctor: array initializer size 11916
                      .NET source code contains very large stringsShow sources
                      Source: Request for Price Quotation.pdf.exe, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: vRURxcnYJm.exe.1.dr, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 1.0.Request for Price Quotation.pdf.exe.580000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 1.2.Request for Price Quotation.pdf.exe.580000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 16.0.Request for Price Quotation.pdf.exe.300000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 16.2.Request for Price Quotation.pdf.exe.300000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: pGKuRU.exe.18.dr, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 18.2.Request for Price Quotation.pdf.exe.b70000.1.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 18.0.Request for Price Quotation.pdf.exe.b70000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 18.0.Request for Price Quotation.pdf.exe.b70000.2.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 24.2.pGKuRU.exe.fd0000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 24.0.pGKuRU.exe.fd0000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Source: 26.0.pGKuRU.exe.ee0000.0.unpack, ContactManagement/ContactForm.csLong String: Length: 11840
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Request for Price Quotation.pdf.exe
                      Source: initial sampleStatic PE information: Filename: Request for Price Quotation.pdf.exe
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_06282A0E NtQuerySystemInformation,1_2_06282A0E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_062829D4 NtQuerySystemInformation,1_2_062829D4
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 18_2_013FB0BA NtQuerySystemInformation,18_2_013FB0BA
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 18_2_013FB089 NtQuerySystemInformation,18_2_013FB089
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_072527F2 NtQuerySystemInformation,24_2_072527F2
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_072527BC NtQuerySystemInformation,24_2_072527BC
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_058C26A6 NtQuerySystemInformation,26_2_058C26A6
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_058C2675 NtQuerySystemInformation,26_2_058C2675
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101F5381_2_0101F538
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010179581_2_01017958
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010101801_2_01010180
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010141D81_2_010141D8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010148281_2_01014828
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010120B81_2_010120B8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101B0E01_2_0101B0E0
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101273C1_2_0101273C
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101E7D81_2_0101E7D8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010197D81_2_010197D8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01019BF01_2_01019BF0
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01013E781_2_01013E78
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010136781_2_01013678
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101AEA81_2_0101AEA8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010156B01_2_010156B0
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101DD001_2_0101DD00
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101DD101_2_0101DD10
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010189601_2_01018960
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101F1701_2_0101F170
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010189801_2_01018980
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010175801_2_01017580
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010175901_2_01017590
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010164081_2_01016408
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010120A91_2_010120A9
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010170C11_2_010170C1
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01019F401_2_01019F40
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01019F501_2_01019F50
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01018F501_2_01018F50
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01012B701_2_01012B70
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010177881_2_01017788
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010177981_2_01017798
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101E7C71_2_0101E7C7
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010197C81_2_010197C8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01019BE01_2_01019BE0
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010163F91_2_010163F9
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010156691_2_01015669
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101AE991_2_0101AE99
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101CEC41_2_0101CEC4
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0101CEC81_2_0101CEC8
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_010142F01_2_010142F0
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC300701_2_0CC30070
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332273324_2_03322733
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332E75824_2_0332E758
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332367824_2_03323678
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03323E7824_2_03323E78
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033256B024_2_033256B0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332AEA824_2_0332AEA8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332795824_2_03327958
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332018024_2_03320180
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033241D324_2_033241D3
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332482324_2_03324823
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332242124_2_03322421
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033220B824_2_033220B8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332B0E024_2_0332B0E0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03322B7024_2_03322B70
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03329F5024_2_03329F50
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03328F5024_2_03328F50
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03329F4024_2_03329F40
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332E74824_2_0332E748
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332779824_2_03327798
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332778824_2_03327788
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03329BF024_2_03329BF0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033263F924_2_033263F9
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03329BE024_2_03329BE0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033297D824_2_033297D8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033283DC24_2_033283DC
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033297C824_2_033297C8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332566724_2_03325667
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332AE9924_2_0332AE99
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033242F024_2_033242F0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332CEC324_2_0332CEC3
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332CEC824_2_0332CEC8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332DD1024_2_0332DD10
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332DD0024_2_0332DD00
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332017024_2_03320170
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332ADBB24_2_0332ADBB
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332759024_2_03327590
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332898024_2_03328980
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332758024_2_03327580
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033235D824_2_033235D8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332842624_2_03328426
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332640824_2_03326408
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033220A924_2_033220A9
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0332A49724_2_0332A497
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_033270C124_2_033270C1
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_07D519CD24_2_07D519CD
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_07D5007024_2_07D50070
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_07D51ABA24_2_07D51ABA
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_07D5000624_2_07D50006
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571795826_2_05717958
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057141D326_2_057141D3
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05713DB826_2_05713DB8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571018026_2_05710180
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571482326_2_05714823
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571B0E026_2_0571B0E0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057120B826_2_057120B8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571E75826_2_0571E758
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571273326_2_05712733
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571367826_2_05713678
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057156B026_2_057156B0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571AEA826_2_0571AEA8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571017026_2_05710170
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571555B26_2_0571555B
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571895F26_2_0571895F
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571894B26_2_0571894B
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571DD1026_2_0571DD10
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571791926_2_05717919
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571DD0026_2_0571DD00
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05713DF826_2_05713DF8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05715DE026_2_05715DE0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057135D826_2_057135D8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571759026_2_05717590
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571898026_2_05718980
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571758026_2_05717580
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571842726_2_05718427
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571640826_2_05716408
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057170C126_2_057170C1
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057120A926_2_057120A9
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057140A826_2_057140A8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05712B7026_2_05712B70
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05719F5026_2_05719F50
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05718F5026_2_05718F50
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05719BF026_2_05719BF0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057163F926_2_057163F9
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05719BE026_2_05719BE0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057197D826_2_057197D8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057183DC26_2_057183DC
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057197C826_2_057197C8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571779826_2_05717798
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571778826_2_05717788
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05713E7826_2_05713E78
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571666026_2_05716660
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571363B26_2_0571363B
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057142F026_2_057142F0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571CEC826_2_0571CEC8
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_057142A026_2_057142A0
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_0571AE9B26_2_0571AE9B
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_07C6007026_2_07C60070
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_07C6000726_2_07C60007
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_07C6003C26_2_07C6003C
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.303591199.000000000CA70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.303591199.000000000CA70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.296240189.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMGJMJfWcOlHYGCsdlWbhHsPUysKpteyohndxgT.exe4 vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.302366710.0000000006C80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.299993869.0000000006290000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.296955820.0000000002D13000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.293718622.00000000005F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezRdH.exeF vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.301723615.0000000006930000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000010.00000000.289699259.0000000000378000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezRdH.exeF vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000012.00000002.476550547.0000000006300000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamezRdH.exeF vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000012.00000002.475378599.0000000005700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000012.00000002.468490022.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameMGJMJfWcOlHYGCsdlWbhHsPUysKpteyohndxgT.exe4 vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exe, 00000012.00000002.476304225.0000000005C20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exeBinary or memory string: OriginalFilenamezRdH.exeF vs Request for Price Quotation.pdf.exe
                      Source: Request for Price Quotation.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Request for Price Quotation.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: vRURxcnYJm.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: pGKuRU.exe.18.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Request for Price Quotation.pdf.exe, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: vRURxcnYJm.exe.1.dr, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.Request for Price Quotation.pdf.exe.580000.0.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.Request for Price Quotation.pdf.exe.580000.0.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 16.0.Request for Price Quotation.pdf.exe.300000.0.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 16.2.Request for Price Quotation.pdf.exe.300000.0.unpack, ContactManagement/ContactForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/8@0/0
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0628253E AdjustTokenPrivileges,1_2_0628253E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_06282507 AdjustTokenPrivileges,1_2_06282507
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 18_2_013FAF3E AdjustTokenPrivileges,18_2_013FAF3E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 18_2_013FAF07 AdjustTokenPrivileges,18_2_013FAF07
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_0725252A AdjustTokenPrivileges,24_2_0725252A
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_072524F3 AdjustTokenPrivileges,24_2_072524F3
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_058C252A AdjustTokenPrivileges,26_2_058C252A
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_058C24F3 AdjustTokenPrivileges,26_2_058C24F3
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile created: C:\Users\user\AppData\Roaming\vRURxcnYJm.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeMutant created: \Sessions\1\BaseNamedObjects\mFTSjiuFKGsZaFFdHZPfwAJpA
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD822.tmpJump to behavior
                      Source: Request for Price Quotation.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Request for Price Quotation.pdf.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile read: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe 'C:\Users\user\Desktop\Request for Price Quotation.pdf.exe'
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD822.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe {path}
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe 'C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe 'C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe'
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD30D.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpF0F5.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD822.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD30D.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpF0F5.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                      Source: Request for Price Quotation.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Request for Price Quotation.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: Request for Price Quotation.pdf.exe, 00000001.00000002.301723615.0000000006930000.00000002.00000001.sdmp, pGKuRU.exe, 00000018.00000002.435175637.0000000006D50000.00000002.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.451550450.0000000006CA0000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: Request for Price Quotation.pdf.exe, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: vRURxcnYJm.exe.1.dr, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 1.0.Request for Price Quotation.pdf.exe.580000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 1.2.Request for Price Quotation.pdf.exe.580000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 16.0.Request for Price Quotation.pdf.exe.300000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 16.2.Request for Price Quotation.pdf.exe.300000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: pGKuRU.exe.18.dr, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 18.2.Request for Price Quotation.pdf.exe.b70000.1.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 18.0.Request for Price Quotation.pdf.exe.b70000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 18.0.Request for Price Quotation.pdf.exe.b70000.2.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 24.2.pGKuRU.exe.fd0000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 24.0.pGKuRU.exe.fd0000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: 26.0.pGKuRU.exe.ee0000.0.unpack, ContactManagement/ContactForm.cs.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_00EF7807 push ds; ret 1_2_00EF7816
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_00EF7990 push ss; ret 1_2_00EF7996
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_00EF790A push ss; ret 1_2_00EF795A
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_00EF5E34 push ds; ret 1_2_00EF5E36
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_01012CCE push cs; ret 1_2_01012CEF
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC31383 push es; ret 1_2_0CC3138A
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC31397 push cs; ret 1_2_0CC3139E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC313A3 push cs; ret 1_2_0CC313A6
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC313B3 push cs; ret 1_2_0CC313BA
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC31355 push cs; ret 1_2_0CC3135A
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC3135B push es; ret 1_2_0CC3136E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC31463 push es; ret 1_2_0CC3146E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC3146F push es; ret 1_2_0CC3147E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC3147F push cs; ret 1_2_0CC31482
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC30007 push ds; ret 1_2_0CC3001E
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeCode function: 1_2_0CC3142B push cs; ret 1_2_0CC3142E
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 24_2_03322CCE push cs; ret 24_2_03322CEF
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeCode function: 26_2_05712CE8 push cs; ret 26_2_05712CEF
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.68662347155
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.68662347155
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.68662347155
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile created: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile created: C:\Users\user\AppData\Roaming\vRURxcnYJm.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vRURxcnYJm' /XML 'C:\Users\user\AppData\Local\Temp\tmpD822.tmp'
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pGKuRUJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pGKuRUJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeFile opened: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: Request for Price Quotation.pdf.exe
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: Request for Price Quotation.pdf.exe PID: 6496, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pGKuRU.exe PID: 5644, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: pGKuRU.exe PID: 6744, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.296240189.0000000002CD1000.00000004.00000001.sdmp, pGKuRU.exe, 00000018.00000002.431012049.0000000003702000.00000004.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.447069014.0000000003592000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Request for Price Quotation.pdf.exe, 00000001.00000002.296240189.0000000002CD1000.00000004.00000001.sdmp, pGKuRU.exe, 00000018.00000002.431012049.0000000003702000.00000004.00000001.sdmp, pGKuRU.exe, 0000001A.00000002.447069014.0000000003592000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exeWindow / User API: threadDelayed 428Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe TID: 6552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe TID: 4152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe TID: 4152Thread sleep count: 428 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Request for Price Quotation.pdf.exe TID: 4152Thread sleep time: -12840000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 7024Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 1936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 3980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\pGKuRU\pGKuRU.exe TID: 6188