Windows Analysis Report
Acal BFi UK - Products List 020240704PDF.exe

Overview

General Information

Sample name: Acal BFi UK - Products List 020240704PDF.exe
Analysis ID: 1467943
MD5: b7d9ebad39110de3ff89686962c3270b
SHA1: a6e86e8d2ff174655eb1d30c62506db91e26c943
SHA256: 77ccc61481c9fa009dfb6af2f6293b604312d440df4338e757ad2df844d10e0b
Tags: exeRedLineStealer
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.3914b90.7.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["79.110.62.16:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for domain / URL
Source: 79.110.62.16:1912 Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: Acal BFi UK - Products List 020240704PDF.exe Virustotal: Detection: 33% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Acal BFi UK - Products List 020240704PDF.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 4x nop then jmp 07320538h 3_2_07320040
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 4x nop then jmp 09246442h 3_2_09246020
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 4x nop then jmp 092468C2h 3_2_09246020
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 4x nop then jmp 09242D02h 3_2_09242A50
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_09242418

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49706 -> 79.110.62.16:1912
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49706 -> 79.110.62.16:1912
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 79.110.62.16:1912 -> 192.168.2.5:49706
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 79.110.62.16:1912
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 79.110.62.16:1912
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LASOTELFR LASOTELFR
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: Acal BFi UK - Products List 020240704PDF.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.00000000038C9000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.000000000390C000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.0000000003957000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2163095067.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip

System Summary
barindex
.NET source code contains very large array initializations
Source: Acal BFi UK - Products List 020240704PDF.exe, Resources.cs Large array initialization: : array initializer size 728684
Detected potential crypto function
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_00EDF2E4 0_2_00EDF2E4
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F10498 0_2_06F10498
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F187C8 0_2_06F187C8
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F10489 0_2_06F10489
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F1E070 0_2_06F1E070
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F19178 0_2_06F19178
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F17120 0_2_06F17120
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F17110 0_2_06F17110
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F16CE8 0_2_06F16CE8
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F168B0 0_2_06F168B0
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_018ADC74 3_2_018ADC74
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_07327738 3_2_07327738
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0732B4A0 3_2_0732B4A0
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0732F1F0 3_2_0732F1F0
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_07320040 3_2_07320040
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_07321E50 3_2_07321E50
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_07322B98 3_2_07322B98
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0732B948 3_2_0732B948
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_07320006 3_2_07320006
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09246020 3_2_09246020
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09243220 3_2_09243220
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09242A50 3_2_09242A50
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_092495A0 3_2_092495A0
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_092455B8 3_2_092455B8
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09242418 3_2_09242418
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09244C90 3_2_09244C90
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0924601C 3_2_0924601C
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09243BA8 3_2_09243BA8
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09240BB8 3_2_09240BB8
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09240BC8 3_2_09240BC8
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09242409 3_2_09242409
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_09244C80 3_2_09244C80
Sample file is different than original file name gathered from version info
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.2007496707.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1997830874.00000000028C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.2008278444.000000000E400000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.000000000429E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.00000000039A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.000000000390C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1996902572.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.0000000003957000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2163095067.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSteanings.exe8 vs Acal BFi UK - Products List 020240704PDF.exe
Source: Acal BFi UK - Products List 020240704PDF.exe Binary or memory string: OriginalFilenameNsvB.exeD vs Acal BFi UK - Products List 020240704PDF.exe
Uses 32bit PE files
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, SICfW2horEZfjKNg2G.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, SICfW2horEZfjKNg2G.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, dTUnFlHn2XyurqWSCA.cs Security API names: _0020.SetAccessControl
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, dTUnFlHn2XyurqWSCA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, dTUnFlHn2XyurqWSCA.cs Security API names: _0020.AddAccessRule
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, dTUnFlHn2XyurqWSCA.cs Security API names: _0020.SetAccessControl
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, dTUnFlHn2XyurqWSCA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, dTUnFlHn2XyurqWSCA.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Acal BFi UK - Products List 020240704PDF.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Mutant created: NULL
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Acal BFi UK - Products List 020240704PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Acal BFi UK - Products List 020240704PDF.exe Virustotal: Detection: 33%
Source: unknown Process created: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe "C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe"
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process created: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe "C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe"
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process created: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe "C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Acal BFi UK - Products List 020240704PDF.exe, MainForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, dTUnFlHn2XyurqWSCA.cs .Net Code: seTF7QOXIk System.Reflection.Assembly.Load(byte[])
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, dTUnFlHn2XyurqWSCA.cs .Net Code: seTF7QOXIk System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 0_2_06F1B808 push es; ret 0_2_06F1B84E
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0732B400 push FFFFFF8Bh; iretd 3_2_0732B402
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0732B31C push FFFFFF8Bh; iretd 3_2_0732B31E
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Code function: 3_2_0732B361 push FFFFFF8Bh; iretd 3_2_0732B363
Source: Acal BFi UK - Products List 020240704PDF.exe Static PE information: section name: .text entropy: 7.923423628808881
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, lC6aIIABArybbWHsUf.cs High entropy of concatenated method names: 'WpBybaDiBR', 'rH3yVRku76', 'Kriy4Qci2M', 'WdByL7UWNM', 'HdEy63IeCT', 'WeFyisKW6R', 'y9iyc2LkVS', 'AAgyA1qO7V', 'uUayEPWIKb', 'flZyKleHD2'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, rdKrpXk1UOc7wi5bZH.cs High entropy of concatenated method names: 'qOyiDL1k5n', 'Rlhim0lNTL', 'aoQi7OOZAY', 'NSoiNORQC5', 'axSiHm9TpG', 'nEniTHqSKG', 'ljqiIMNdns', 'xcsisQItIE', 'bxxidYay26', 'umcikl5LwR'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, NsiqUoKOMlr7IcvYJe.cs High entropy of concatenated method names: 'AmG0EZZLRu', 'U0j0Koiatm', 'ToString', 'MEN0b0A5js', 'Hb10VRsWkH', 'h1S04QvBVm', 'vvw0LGj4qH', 'y9v06jCVpt', 'G0P0iUOcaJ', 'hoP0csWRwQ'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, ydxQo1aOyWtU7qmN3yN.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g8shMhguXS', 'sZ8htrHRki', 'foFhqbresA', 'sjMhxIhy0E', 'lRYhOyW1Jy', 'b6Xh2BZfZu', 'YSDhf43xe8'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, UELmkJN8Z4vp7grtUK.cs High entropy of concatenated method names: 'io4nsY3Qvv', 'TtUndtXVdp', 'EcNnX1HWPd', 'ayOn1J5XPl', 'Eycn8T1hbp', 'J5bnC9QUAX', 'kZ7nQoh1Ma', 'uu4nBGBmvp', 'EuWnoDa6WU', 'j0HnlQJ4yX'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, g8ARMEBFO7Tg1FWK1B.cs High entropy of concatenated method names: 'coYRirihin', 'yS6RcjkDJ8', 'XulREja3l1', 'G5WRKYhmM0', 'AlURPmdE0i', 'gUZRr7Ax1s', 'qfIh69o5OG9JpQgCAF', 'dxM03l8aug64bDPj3N', 'YpCRRN6DQF', 'Ss9RaCaMcS'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, PDqR0syHIiBonmE7bJ.cs High entropy of concatenated method names: 'qPPyXjrciy', 'tLQy11UREe', 'Ao8yeNAshy', 'OiZy89M0eL', 'zdVyMfse6l', 'sUbyCor28v', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, rvj93o4aQ1sTiw0p6B.cs High entropy of concatenated method names: 'Dispose', 'LDHRvDSacw', 'XfhG1VxCA3', 'ca0ZZ5iM8K', 'b9UR9nMgbd', 'L1vRzm6Zaa', 'ProcessDialogKey', 'ITMGUrSLD2', 'QSTGRJkbxK', 'ScTGGQo6YV'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, wNFtybaa62dhGPMiB49.cs High entropy of concatenated method names: 'ToString', 'ij8haynaeM', 'UeqhFdiEfk', 'sl8hwlMjB4', 'iSKhbP3PXM', 'F6ehVV7aRC', 'XEWh4tVFIS', 'B9UhLxvTHe', 'Er73MWgkgq6rxyAlNRk', 'Yb3scNg7IO2y23JRsTC'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, OSXCZuq44EiNB4DYmu.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oZOGvg3ojD', 'imGG9FB8f1', 'YQWGzcBgBl', 'QNvaURisk5', 'zwyaRTIXFG', 'mPIaG4e5Mk', 'wk2aaxrgmY', 'DJsiqYRUGMDyEY7jN2l'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, W8ZbQSt5jWh0sb3rti.cs High entropy of concatenated method names: 'lHGibf4ajh', 'rNYi4iRIT4', 'Tlbi683Cvy', 'yey696Fq5s', 'U956znwQ6g', 'e9yiUTJu7Y', 'hCEiRCBQDM', 'ldeiGpF0JF', 'BqQiaLMefN', 'M7eiF1rJCh'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, JYovLVZoiUnjgs6JfN.cs High entropy of concatenated method names: 'fhh4NLdPKh', 'VKA4TxF81y', 'Pxy4sXtIXY', 'qTx4d39y5G', 'MVr4P2bn18', 'xGZ4raetur', 'b4t40bnSwr', 'x034yucFWw', 'kWT4WETfS3', 'IUc4h9kCoo'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, wDnIPxmpGcckSP6vC4.cs High entropy of concatenated method names: 'G7v7VycgK', 'zlsNX23Zn', 'M6VTJWdDh', 'y63IupuYm', 'AggdKhLGO', 'GNEknnMyU', 'YOoJjumP0LfR1hIOfg', 'qxKptm2WIuaVyHUHbB', 'KE2y9eGJG', 'LWNhPkI4A'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, UliMWVa59jq9jqe0Mk7.cs High entropy of concatenated method names: 'h04WDGFywC', 'rXSWmAoS0p', 'DptW7wAxLS', 'Hp5WNjbQUn', 'FU5WHlSaAh', 'BacWTPSx73', 'xsmWILJrqc', 'MGtWs6ZXJK', 'oAdWdG2hya', 'zQoWknjBdB'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, dTUnFlHn2XyurqWSCA.cs High entropy of concatenated method names: 'eGhawrcG6V', 'Rwkab5tuAE', 'ivaaVu0SVF', 'qYTa45Sr3j', 'krxaLRmXpv', 'wtJa6Y9fVo', 'rAoai3LuTI', 'YbuacSd5rV', 'VIhaArQ2hD', 'aQnaE1Etdn'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, ide653oNnpAoAJdane.cs High entropy of concatenated method names: 'FO66wlkhDG', 'zZ86VKybHh', 'Nib6LrVPrm', 'ONN6iffv48', 'c0m6cehueK', 'IDoLORtlIi', 'Ok8L2Gj0R6', 'XZ0LfolXOv', 'xHAL5Ko6II', 'KThLviXJ7J'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, SICfW2horEZfjKNg2G.cs High entropy of concatenated method names: 'PwcVMpKNYC', 'thAVtdKtTi', 'P1AVqYq2hV', 'mVwVxy2eo6', 'n4oVOlSm9y', 'KVVV2nMmE3', 'iX4VfpgSy4', 'DJ2V5c7go9', 'sEeVvFQtVk', 'Ak7V9LFlqJ'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, Pk8tyBz0xsGs1FFEBY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J2HWn6qNL6', 'neFWPGa7XG', 'edRWr1Ex2F', 'LM7W0gq7Mf', 'Q32WyaU0FQ', 'jexWWAf3dZ', 'YJoWh6bo3V'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, WI9mCc9RbUQDCsdfNg.cs High entropy of concatenated method names: 'aWgWRAgC3i', 'rr0Wav8rat', 'E93WFMtT8V', 'FmXWbKjCo0', 'qx7WVHCZEv', 'YmLWLwkWfD', 'eXAW6kCLFp', 'O8oyfdL91U', 'rgLy5IgySr', 'yAQyvdlfYR'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, H41oKPStCvFpMB79cZ.cs High entropy of concatenated method names: 'Qb0LHlq2pn', 'e1yLIcuJLn', 'fSK4e79nKT', 'EdJ48aPmcj', 'oQi4CspA3R', 'zNR4SpATOj', 'ECn4QG43iw', 'vpj4BN5YEG', 'nB74u4FPDG', 'r2v4ofMJrA'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.e400000.15.raw.unpack, YA0HAsXCiB3v8n8Nyp.cs High entropy of concatenated method names: 'mPh05isLth', 'cr009XV5Sr', 'oyjyUi5BCr', 'wugyR0YS8s', 'mgV0l59xsV', 'bB90Y1YQck', 'CSq03U1QmS', 'BLh0MtlgGn', 'gF00t2Ddwj', 'RvK0qCQmmd'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, lC6aIIABArybbWHsUf.cs High entropy of concatenated method names: 'WpBybaDiBR', 'rH3yVRku76', 'Kriy4Qci2M', 'WdByL7UWNM', 'HdEy63IeCT', 'WeFyisKW6R', 'y9iyc2LkVS', 'AAgyA1qO7V', 'uUayEPWIKb', 'flZyKleHD2'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, rdKrpXk1UOc7wi5bZH.cs High entropy of concatenated method names: 'qOyiDL1k5n', 'Rlhim0lNTL', 'aoQi7OOZAY', 'NSoiNORQC5', 'axSiHm9TpG', 'nEniTHqSKG', 'ljqiIMNdns', 'xcsisQItIE', 'bxxidYay26', 'umcikl5LwR'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, NsiqUoKOMlr7IcvYJe.cs High entropy of concatenated method names: 'AmG0EZZLRu', 'U0j0Koiatm', 'ToString', 'MEN0b0A5js', 'Hb10VRsWkH', 'h1S04QvBVm', 'vvw0LGj4qH', 'y9v06jCVpt', 'G0P0iUOcaJ', 'hoP0csWRwQ'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, ydxQo1aOyWtU7qmN3yN.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g8shMhguXS', 'sZ8htrHRki', 'foFhqbresA', 'sjMhxIhy0E', 'lRYhOyW1Jy', 'b6Xh2BZfZu', 'YSDhf43xe8'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, UELmkJN8Z4vp7grtUK.cs High entropy of concatenated method names: 'io4nsY3Qvv', 'TtUndtXVdp', 'EcNnX1HWPd', 'ayOn1J5XPl', 'Eycn8T1hbp', 'J5bnC9QUAX', 'kZ7nQoh1Ma', 'uu4nBGBmvp', 'EuWnoDa6WU', 'j0HnlQJ4yX'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, g8ARMEBFO7Tg1FWK1B.cs High entropy of concatenated method names: 'coYRirihin', 'yS6RcjkDJ8', 'XulREja3l1', 'G5WRKYhmM0', 'AlURPmdE0i', 'gUZRr7Ax1s', 'qfIh69o5OG9JpQgCAF', 'dxM03l8aug64bDPj3N', 'YpCRRN6DQF', 'Ss9RaCaMcS'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, PDqR0syHIiBonmE7bJ.cs High entropy of concatenated method names: 'qPPyXjrciy', 'tLQy11UREe', 'Ao8yeNAshy', 'OiZy89M0eL', 'zdVyMfse6l', 'sUbyCor28v', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, rvj93o4aQ1sTiw0p6B.cs High entropy of concatenated method names: 'Dispose', 'LDHRvDSacw', 'XfhG1VxCA3', 'ca0ZZ5iM8K', 'b9UR9nMgbd', 'L1vRzm6Zaa', 'ProcessDialogKey', 'ITMGUrSLD2', 'QSTGRJkbxK', 'ScTGGQo6YV'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, wNFtybaa62dhGPMiB49.cs High entropy of concatenated method names: 'ToString', 'ij8haynaeM', 'UeqhFdiEfk', 'sl8hwlMjB4', 'iSKhbP3PXM', 'F6ehVV7aRC', 'XEWh4tVFIS', 'B9UhLxvTHe', 'Er73MWgkgq6rxyAlNRk', 'Yb3scNg7IO2y23JRsTC'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, OSXCZuq44EiNB4DYmu.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oZOGvg3ojD', 'imGG9FB8f1', 'YQWGzcBgBl', 'QNvaURisk5', 'zwyaRTIXFG', 'mPIaG4e5Mk', 'wk2aaxrgmY', 'DJsiqYRUGMDyEY7jN2l'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, W8ZbQSt5jWh0sb3rti.cs High entropy of concatenated method names: 'lHGibf4ajh', 'rNYi4iRIT4', 'Tlbi683Cvy', 'yey696Fq5s', 'U956znwQ6g', 'e9yiUTJu7Y', 'hCEiRCBQDM', 'ldeiGpF0JF', 'BqQiaLMefN', 'M7eiF1rJCh'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, JYovLVZoiUnjgs6JfN.cs High entropy of concatenated method names: 'fhh4NLdPKh', 'VKA4TxF81y', 'Pxy4sXtIXY', 'qTx4d39y5G', 'MVr4P2bn18', 'xGZ4raetur', 'b4t40bnSwr', 'x034yucFWw', 'kWT4WETfS3', 'IUc4h9kCoo'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, wDnIPxmpGcckSP6vC4.cs High entropy of concatenated method names: 'G7v7VycgK', 'zlsNX23Zn', 'M6VTJWdDh', 'y63IupuYm', 'AggdKhLGO', 'GNEknnMyU', 'YOoJjumP0LfR1hIOfg', 'qxKptm2WIuaVyHUHbB', 'KE2y9eGJG', 'LWNhPkI4A'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, UliMWVa59jq9jqe0Mk7.cs High entropy of concatenated method names: 'h04WDGFywC', 'rXSWmAoS0p', 'DptW7wAxLS', 'Hp5WNjbQUn', 'FU5WHlSaAh', 'BacWTPSx73', 'xsmWILJrqc', 'MGtWs6ZXJK', 'oAdWdG2hya', 'zQoWknjBdB'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, dTUnFlHn2XyurqWSCA.cs High entropy of concatenated method names: 'eGhawrcG6V', 'Rwkab5tuAE', 'ivaaVu0SVF', 'qYTa45Sr3j', 'krxaLRmXpv', 'wtJa6Y9fVo', 'rAoai3LuTI', 'YbuacSd5rV', 'VIhaArQ2hD', 'aQnaE1Etdn'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, ide653oNnpAoAJdane.cs High entropy of concatenated method names: 'FO66wlkhDG', 'zZ86VKybHh', 'Nib6LrVPrm', 'ONN6iffv48', 'c0m6cehueK', 'IDoLORtlIi', 'Ok8L2Gj0R6', 'XZ0LfolXOv', 'xHAL5Ko6II', 'KThLviXJ7J'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, SICfW2horEZfjKNg2G.cs High entropy of concatenated method names: 'PwcVMpKNYC', 'thAVtdKtTi', 'P1AVqYq2hV', 'mVwVxy2eo6', 'n4oVOlSm9y', 'KVVV2nMmE3', 'iX4VfpgSy4', 'DJ2V5c7go9', 'sEeVvFQtVk', 'Ak7V9LFlqJ'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, Pk8tyBz0xsGs1FFEBY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J2HWn6qNL6', 'neFWPGa7XG', 'edRWr1Ex2F', 'LM7W0gq7Mf', 'Q32WyaU0FQ', 'jexWWAf3dZ', 'YJoWh6bo3V'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, WI9mCc9RbUQDCsdfNg.cs High entropy of concatenated method names: 'aWgWRAgC3i', 'rr0Wav8rat', 'E93WFMtT8V', 'FmXWbKjCo0', 'qx7WVHCZEv', 'YmLWLwkWfD', 'eXAW6kCLFp', 'O8oyfdL91U', 'rgLy5IgySr', 'yAQyvdlfYR'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, H41oKPStCvFpMB79cZ.cs High entropy of concatenated method names: 'Qb0LHlq2pn', 'e1yLIcuJLn', 'fSK4e79nKT', 'EdJ48aPmcj', 'oQi4CspA3R', 'zNR4SpATOj', 'ECn4QG43iw', 'vpj4BN5YEG', 'nB74u4FPDG', 'r2v4ofMJrA'
Source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.4571e00.8.raw.unpack, YA0HAsXCiB3v8n8Nyp.cs High entropy of concatenated method names: 'mPh05isLth', 'cr009XV5Sr', 'oyjyUi5BCr', 'wugyR0YS8s', 'mgV0l59xsV', 'bB90Y1YQck', 'CSq03U1QmS', 'BLh0MtlgGn', 'gF00t2Ddwj', 'RvK0qCQmmd'
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File created: \acal bfi uk - products list 020240704pdf.exe
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File created: \acal bfi uk - products list 020240704pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Acal BFi UK - Products List 020240704PDF.exe PID: 6456, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 2800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 9A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 9C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: AC70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: B070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: C070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: D070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: E490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: F490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 10490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 11490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 18A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: 51D0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Window / User API: threadDelayed 749 Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Window / User API: threadDelayed 3756 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe TID: 7124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe TID: 2504 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe TID: 6584 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000000.00000002.1998404535.000000000429E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EjuKEygW1vmCi3OKcCy
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2164682294.00000000015BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Acal BFi UK - Products List 020240704PDF.exe, 00000003.00000002.2165008190.000000000367D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Memory written: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Process created: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe "C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.38c9970.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Acal BFi UK - Products List 020240704PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.3914b90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.3914b90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.38c9970.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1998404535.00000000038C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1998404535.0000000003957000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1998404535.000000000390C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2163095067.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Acal BFi UK - Products List 020240704PDF.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Acal BFi UK - Products List 020240704PDF.exe PID: 4028, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\Desktop\Acal BFi UK - Products List 020240704PDF.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Acal BFi UK - Products List 020240704PDF.exe PID: 4028, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.38c9970.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Acal BFi UK - Products List 020240704PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.3914b90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.3914b90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Acal BFi UK - Products List 020240704PDF.exe.38c9970.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1998404535.00000000038C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1998404535.0000000003957000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1998404535.000000000390C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2163095067.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2165008190.0000000003266000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Acal BFi UK - Products List 020240704PDF.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Acal BFi UK - Products List 020240704PDF.exe PID: 4028, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467943 Sample: Acal BFi UK - Products List... Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 18 Snort IDS alert for network traffic 2->18 20 Multi AV Scanner detection for domain / URL 2->20 22 Found malware configuration 2->22 24 10 other signatures 2->24 6 Acal BFi UK - Products List 020240704PDF.exe 3 2->6         started        process3 file4 14 Acal BFi UK - Prod...20240704PDF.exe.log, ASCII 6->14 dropped 26 Injects a PE file into a foreign processes 6->26 10 Acal BFi UK - Products List 020240704PDF.exe 5 3 6->10         started        signatures5 process6 dnsIp7 16 79.110.62.16, 1912, 49706 LASOTELFR Germany 10->16 28 Tries to harvest and steal browser information (history, passwords, etc) 10->28 30 Tries to steal Crypto Currency Wallets 10->30 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.110.62.16
 unknown Germany
39180 LASOTELFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
79.110.62.16:1912 true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown