Windows Analysis Report
Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe

Overview

General Information

Sample name: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
renamed because original name is a hash value
Original sample name: Rfq H2110-11Order_ROYPOWTECH %100% S51105P-E01 .exe
Analysis ID: 1523111
MD5: a168b11261c075963b1dfd139cbbfac6
SHA1: 3248fcfe659305dba908ee7271da1a3c72f103c1
SHA256: 32b59977aff73828e93c0844e7805de9c854049bb3b046399f1ce42e58679b85
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "6783395654:AAGHZk1wugh441q673h1nDNWiVYW4p6ewXc", "Chat_id": "-4209622687", "Version": "5.1"}
Multi AV Scanner detection for submitted file
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe ReversingLabs: Detection: 39%
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbexe source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nC:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbR source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !!.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb|7C source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER16B2.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb*d source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xZjq.pdbs\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\xZjq.pdb^3? source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbL0 source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb[7 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.pdb@ source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Xml.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source: Binary string: xZjq.pdbSHA256 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Binary string: n@C:\Users\user\Desktop\xZjq.pdb $+ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: u.PDB source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl._ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.PDB9 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source: Binary string: mscorlib.pdbvT source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Xml.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdbj0U source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp, WER16B2.tmp.dmp.9.dr
Source: Binary string: symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.pdbt source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbH source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Core.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: n(C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xZjq.pdbh source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 4x nop then jmp 07D46A66h 0_2_07D46E22

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A40000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1676535637.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678544794.0000000005EF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comP&
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1678626025.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1965220734.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_0322D5BC 0_2_0322D5BC
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_059E6FD8 0_2_059E6FD8
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_059E0006 0_2_059E0006
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_059E0040 0_2_059E0040
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_059E6FC8 0_2_059E6FC8
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D43510 0_2_07D43510
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D43501 0_2_07D43501
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D44410 0_2_07D44410
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D43F18 0_2_07D43F18
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D43F08 0_2_07D43F08
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D41D10 0_2_07D41D10
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D418D8 0_2_07D418D8
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9C1DF 5_2_00F9C1DF
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F96108 5_2_00F96108
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9B328 5_2_00F9B328
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9C4BF 5_2_00F9C4BF
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F99540 5_2_00F99540
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9C79F 5_2_00F9C79F
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F96880 5_2_00F96880
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F94AE7 5_2_00F94AE7
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9CA7F 5_2_00F9CA7F
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9BBDF 5_2_00F9BBDF
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9CD5F 5_2_00F9CD5F
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F93570 5_2_00F93570
One or more processes crash
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 2536
Sample file is different than original file name gathered from version info
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1676535637.0000000003640000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1679217876.0000000007CD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000000.1638029816.0000000000F08000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexZjq.exeF vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004CBA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1675498294.000000000149E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963646151.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Binary or memory string: OriginalFilenamexZjq.exeF vs Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Uses 32bit PE files
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, Z.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, Z.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, Z.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, Z.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, -.cs Base64 encoded string: 'G4pV1kZlzrWG3ii/qsKXSnYs+5NUWVZZLTztKeesew9//zKKMVqxJyBhDWLI4hit'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, -.cs Base64 encoded string: 'G4pV1kZlzrWG3ii/qsKXSnYs+5NUWVZZLTztKeesew9//zKKMVqxJyBhDWLI4hit'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: _0020.AddAccessRule
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: _0020.AddAccessRule
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, YyDoaCV4XL6YvGn57w.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, YyDoaCV4XL6YvGn57w.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs Security API names: _0020.AddAccessRule
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, YyDoaCV4XL6YvGn57w.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/11@2/2
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7032
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Mutant created: \Sessions\1\BaseNamedObjects\vPntyf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ft1l0bfw.inc.ps1 Jump to behavior
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe ReversingLabs: Detection: 39%
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe File read: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 2536
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbexe source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nC:\Users\user\Desktop\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbR source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !!.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb|7C source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER16B2.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb*d source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xZjq.pdbs\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\xZjq.pdb^3? source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbL0 source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb[7 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.pdb@ source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Xml.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source: Binary string: xZjq.pdbSHA256 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe
Source: Binary string: n@C:\Users\user\Desktop\xZjq.pdb $+ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\xZjq.pdbpdbZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: u.PDB source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl._ source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.PDB9 source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr
Source: Binary string: mscorlib.pdbvT source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Xml.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: \??\C:\Windows\System.Windows.Forms.pdbj0U source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.0000000006270000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp, WER16B2.tmp.dmp.9.dr
Source: Binary string: symbols\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.pdbt source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbH source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Core.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: n(C:\Windows\xZjq.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1963806467.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Windows.Forms.pdb source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xZjq.pdbh source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1966452283.00000000062B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER16B2.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER16B2.tmp.dmp.9.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4489c80.1.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs .Net Code: hsUh1RQq3d System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.44a1ea0.3.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs .Net Code: hsUh1RQq3d System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs .Net Code: hsUh1RQq3d System.Reflection.Assembly.Load(byte[])
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.5d70000.6.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: 0x8E983937 [Mon Oct 23 03:06:31 2045 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D40DC0 push esp; iretd 0_2_07D40DC1
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 0_2_07D49A35 push FFFFFF8Bh; iretd 0_2_07D49A37
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9B328 push ebp; ret 5_2_00F9B4FE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9D030 push esp; ret 5_2_00F9D03E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9C1D1 push ebp; ret 5_2_00F9C1DE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9C4B1 push ebp; ret 5_2_00F9C4BE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F914A8 push edx; ret 5_2_00F914B6
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F93570 push esp; ret 5_2_00F93906
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F907DF push edi; ret 5_2_00F907E2
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F907B8 push ebp; ret 5_2_00F907C2
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F90778 push ebp; ret 5_2_00F90782
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F918B8 push ebx; ret 5_2_00F918C6
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9D900 push esp; ret 5_2_00F9D90E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F94AD9 push esp; ret 5_2_00F94AE6
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9CA70 push ebp; ret 5_2_00F9CA7E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9BBD2 push ebp; ret 5_2_00F9BBDE
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F90C8F push edx; ret 5_2_00F90C9E
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Code function: 5_2_00F9CD51 push ebp; ret 5_2_00F9CD5E
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Static PE information: section name: .text entropy: 7.647044566215728
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, NdgYdto4tahmEQdqZr.cs High entropy of concatenated method names: 'wujGUvCZli', 'CNPGjSFaxs', 'KgCG1O3jbQ', 'oxbGOU92Y0', 'rLcG04B6Eb', 'GQUGeLGilw', 'muEGv61uCJ', 'GM6GVpyfuc', 'fOdG9CfZ0H', 'hSgGFO5gCm'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, dy4xLZhqMOhdrZ6HKG.cs High entropy of concatenated method names: 'HEDyGyDoaC', 'SXLyt6YvGn', 'sn7y5sw2aj', 'etMybWxl9p', 'dHhyuTCHlf', 'rUgygdWbfx', 'gy89CHUDnHLeakcNkg', 'WfW06Qb3N63ZJ9Tf0u', 'WAhyysbw69', 'YpiyIapCSY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, wOfryEKJFo7xTnyYSv.cs High entropy of concatenated method names: 'F7fiVyymFj', 'zUJi9n5SY7', 'qX6ik7juiX', 'vR6i7Ugoss', 'tgPiYpTfeB', 'BnOiWUeKvE', 'Jm6iCwr6wk', 'qXgiwHtkof', 'HweiL1PUBY', 'diGiZ0rU2I'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, hfNmbTDiry0or0Cyxa.cs High entropy of concatenated method names: 'XuIXyd7SfG', 'KqrXIyj7oA', 'Nu9Xhio5Mx', 'IQnXMCYN5K', 'XbKXqxiRaM', 'SKTXA8jELC', 'LfnXHl4PLh', 'tIhBRHRycB', 'sTJBng1kBo', 'gR1BlQXxcI'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, YyDoaCV4XL6YvGn57w.cs High entropy of concatenated method names: 'mP7q2i1brC', 'LwaqEyMtps', 'VDJq4CGnVp', 'osTqpD7yT9', 'PjQqQyapjh', 'CgVqS8l7cl', 'D4yqRX750Z', 'BOlqnyFkCP', 'kiBqlxWIDq', 'hHYqD8hsWT'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, bCBBcb25EVcefRsDTB.cs High entropy of concatenated method names: 'FkiuLdBiUB', 'Ch4uffEOIr', 'Rubu2yKRS5', 'xUouEc3xXp', 'Uo6u7cpP0j', 'UGeucbXH4r', 'nHkuYlwZVI', 'pR8uWWdpmN', 'HxBuTAS6EV', 'kEPuC6lR47'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, Ymx7jtyy97yLa3jx5ub.cs High entropy of concatenated method names: 'ToString', 'UVK6IMx5eb', 'aFo6hY7Eva', 'kgD6PogQ3n', 'N1D6Mm1wFm', 'zoC6qp1Pvu', 'smd6mhopIm', 'ziB6AZVSXO', 'gB35Ut0kkEAF1lk2bLD', 'a9bRQr0BFYqK30fgcuP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, wZo2QMqKw7NWpE8OiU.cs High entropy of concatenated method names: 'Dispose', 'ggwylWxY9v', 'zJRd7IJ2xV', 'PXc33GjkcH', 'GB5yD3PNTr', 'cD9yzxoElo', 'ProcessDialogKey', 'JihdsKUU8l', 'ARIdypHEHd', 'Kw9ddAfNmb'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, OOC7qVTGyde1j7I5Vv.cs High entropy of concatenated method names: 'u6JH4X5ceH', 'RRaHpRGq1l', 'u09HQBm7r9', 'ToString', 'ksOHSCAv6A', 'JfTHRyVrdv', 'CspdehmiLZD3D28aOEW', 'A5QjgZmvBcuCbdklAM7'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, N2L5uiyIVv4xjOCY30P.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'big62lAGVN', 'tQy6EFJLIk', 'ClS64YYCNl', 'QNn6pm2ab0', 'hNa6QKk4Wq', 'P8X6SsyHJ3', 'nJo6ROVNGa'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, j3gFaxSn1KuexmQWEK.cs High entropy of concatenated method names: 'jRsanDVJe8', 'fHaaDRYNnZ', 'zMqBshKMpm', 'hxIByuqX1o', 'mFZaZ24GQQ', 'o17af0BOIK', 'eF1aKKFbTR', 'nlra2Pw4fM', 'uaGaEbyqmO', 'vdGa4M0Ohj'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, dLhNXKysico8ZTaQFMI.cs High entropy of concatenated method names: 'EYDXUct3IS', 'GIVXj3pgyV', 'h1BX13fC9A', 'R74XODty0I', 'mUeX0IZbO5', 'aUhXewXhlU', 'gwMXvhZaun', 'LNZXVNsW4H', 'MbWX9bj8cC', 'ILoXFRgOyk'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, dKUU8ll0RIpHEHdTw9.cs High entropy of concatenated method names: 'xDRBkZFdYn', 'XiMB7aEW78', 'st7BcXnHkT', 'bOmBYZyPyQ', 'fKJB2SfX47', 'TQgBWC3TFp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, q53PNTnrID9xoEloWi.cs High entropy of concatenated method names: 'phEBMPYBkL', 'IZ3BqaxUNR', 'EoWBmaSV6M', 's3BBAJGu12', 'HGmBHpVaHB', 'DhsBGUWtGf', 'CERBt1RBSx', 'L8nBJysbcb', 'm5ZB5rfHBf', 'D07Bb1hyOY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, tl9p6JFu1ULHBIHhTC.cs High entropy of concatenated method names: 'ic9A0Xs6mS', 'Wp2AvaY377', 'PNCmcH0IFA', 'llsmYILuEc', 'hU3mWwhb6P', 'eawmTcjilh', 'K0dmCikjuX', 'yu8mw6MAHW', 'WcFmodsO4C', 'eGPmLQl6ee'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, soqRI69n7sw2ajPtMW.cs High entropy of concatenated method names: 'MlfmOn7vm9', 'WJgmeimrmF', 't4dmVD715j', 'tVom9bLUu9', 'zQ7muoVhQt', 'NyYmg6fD3o', 'lramaylYXO', 'odRmB9FGcW', 'h80mXJWQIK', 'ztvm69yEQu'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, vxGZ4lpgxdYUpSrWVq.cs High entropy of concatenated method names: 'yWNa5vgET7', 'gqKabQ6Qk8', 'ToString', 'w7kaMkhU3p', 'Rnjaq0jjgR', 'Y4namiPD1j', 'yPNaA1hJrD', 'yjBaHVLIPJ', 'dLAaGF5fg4', 'uckatyYfWM'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, rMeTksd0q4hASIEF7p.cs High entropy of concatenated method names: 'PSm1HgPq0', 'eO3Ob3q7F', 'MnxewpW9B', 'RH8vyeCCp', 'PF89Cxr7l', 'edJFcsvho', 'hdDChJhJ6BHrA0dGWA', 'ilNFwVTvmhA6LxEyOC', 'gUiBmGYYx', 'RRi6fllCW'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, T2f5jkYbysOmyr2JBk.cs High entropy of concatenated method names: 'kG7HNQMmuo', 'XxWHUoo4m0', 'NdjH1S5DSd', 'RmqHOwEYlq', 'QEWHeix4GC', 'KuJHv3tSrR', 'GL4H9NAn0R', 'T2LHF1Cw69', 'z6hOb2mJYOrJLsBZ6Mf', 'CW9WM2m8r18GUyW4I5g'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, gSpCmqtxabgBVI8i5l.cs High entropy of concatenated method names: 'ixpIPx0Me5', 'krOIMR3b08', 'XIpIq0MoYg', 'QFJImjg2Q4', 'PDyIAcxJA9', 'RqhIHO76QJ', 'Ia9IGAJi1u', 'ekTItlBYsh', 'VBOIJnD0gT', 'iOUI5p6TTP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, N3hqEl418ZpQYWVLLh.cs High entropy of concatenated method names: 'ToString', 'UaSgZ5pK7E', 'UHng7PFhkW', 'WfbgcTyIND', 'WIxgYXuwr8', 'Ge5gWcfoQe', 'FnlgTe0Hod', 'zFCgCqikoC', 'SVwgwhtY5I', 'hXfgoOPTxU'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4e53110.2.raw.unpack, jlfBUgkdWbfx37dOF6.cs High entropy of concatenated method names: 'p3UHPrWJA4', 'v9HHqL5ETY', 'vXTHAfRnuc', 'LYIHGX0iyq', 'j5QHtpwc2j', 'j4bAQk6fsV', 'm8wASNeJSb', 'n4yARJlyW6', 'JVKAn1mEiV', 'NE7AlWucSc'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, NdgYdto4tahmEQdqZr.cs High entropy of concatenated method names: 'wujGUvCZli', 'CNPGjSFaxs', 'KgCG1O3jbQ', 'oxbGOU92Y0', 'rLcG04B6Eb', 'GQUGeLGilw', 'muEGv61uCJ', 'GM6GVpyfuc', 'fOdG9CfZ0H', 'hSgGFO5gCm'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, dy4xLZhqMOhdrZ6HKG.cs High entropy of concatenated method names: 'HEDyGyDoaC', 'SXLyt6YvGn', 'sn7y5sw2aj', 'etMybWxl9p', 'dHhyuTCHlf', 'rUgygdWbfx', 'gy89CHUDnHLeakcNkg', 'WfW06Qb3N63ZJ9Tf0u', 'WAhyysbw69', 'YpiyIapCSY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, wOfryEKJFo7xTnyYSv.cs High entropy of concatenated method names: 'F7fiVyymFj', 'zUJi9n5SY7', 'qX6ik7juiX', 'vR6i7Ugoss', 'tgPiYpTfeB', 'BnOiWUeKvE', 'Jm6iCwr6wk', 'qXgiwHtkof', 'HweiL1PUBY', 'diGiZ0rU2I'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, hfNmbTDiry0or0Cyxa.cs High entropy of concatenated method names: 'XuIXyd7SfG', 'KqrXIyj7oA', 'Nu9Xhio5Mx', 'IQnXMCYN5K', 'XbKXqxiRaM', 'SKTXA8jELC', 'LfnXHl4PLh', 'tIhBRHRycB', 'sTJBng1kBo', 'gR1BlQXxcI'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, YyDoaCV4XL6YvGn57w.cs High entropy of concatenated method names: 'mP7q2i1brC', 'LwaqEyMtps', 'VDJq4CGnVp', 'osTqpD7yT9', 'PjQqQyapjh', 'CgVqS8l7cl', 'D4yqRX750Z', 'BOlqnyFkCP', 'kiBqlxWIDq', 'hHYqD8hsWT'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, bCBBcb25EVcefRsDTB.cs High entropy of concatenated method names: 'FkiuLdBiUB', 'Ch4uffEOIr', 'Rubu2yKRS5', 'xUouEc3xXp', 'Uo6u7cpP0j', 'UGeucbXH4r', 'nHkuYlwZVI', 'pR8uWWdpmN', 'HxBuTAS6EV', 'kEPuC6lR47'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, Ymx7jtyy97yLa3jx5ub.cs High entropy of concatenated method names: 'ToString', 'UVK6IMx5eb', 'aFo6hY7Eva', 'kgD6PogQ3n', 'N1D6Mm1wFm', 'zoC6qp1Pvu', 'smd6mhopIm', 'ziB6AZVSXO', 'gB35Ut0kkEAF1lk2bLD', 'a9bRQr0BFYqK30fgcuP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, wZo2QMqKw7NWpE8OiU.cs High entropy of concatenated method names: 'Dispose', 'ggwylWxY9v', 'zJRd7IJ2xV', 'PXc33GjkcH', 'GB5yD3PNTr', 'cD9yzxoElo', 'ProcessDialogKey', 'JihdsKUU8l', 'ARIdypHEHd', 'Kw9ddAfNmb'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, OOC7qVTGyde1j7I5Vv.cs High entropy of concatenated method names: 'u6JH4X5ceH', 'RRaHpRGq1l', 'u09HQBm7r9', 'ToString', 'ksOHSCAv6A', 'JfTHRyVrdv', 'CspdehmiLZD3D28aOEW', 'A5QjgZmvBcuCbdklAM7'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, N2L5uiyIVv4xjOCY30P.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'big62lAGVN', 'tQy6EFJLIk', 'ClS64YYCNl', 'QNn6pm2ab0', 'hNa6QKk4Wq', 'P8X6SsyHJ3', 'nJo6ROVNGa'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, j3gFaxSn1KuexmQWEK.cs High entropy of concatenated method names: 'jRsanDVJe8', 'fHaaDRYNnZ', 'zMqBshKMpm', 'hxIByuqX1o', 'mFZaZ24GQQ', 'o17af0BOIK', 'eF1aKKFbTR', 'nlra2Pw4fM', 'uaGaEbyqmO', 'vdGa4M0Ohj'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, dLhNXKysico8ZTaQFMI.cs High entropy of concatenated method names: 'EYDXUct3IS', 'GIVXj3pgyV', 'h1BX13fC9A', 'R74XODty0I', 'mUeX0IZbO5', 'aUhXewXhlU', 'gwMXvhZaun', 'LNZXVNsW4H', 'MbWX9bj8cC', 'ILoXFRgOyk'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, dKUU8ll0RIpHEHdTw9.cs High entropy of concatenated method names: 'xDRBkZFdYn', 'XiMB7aEW78', 'st7BcXnHkT', 'bOmBYZyPyQ', 'fKJB2SfX47', 'TQgBWC3TFp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, q53PNTnrID9xoEloWi.cs High entropy of concatenated method names: 'phEBMPYBkL', 'IZ3BqaxUNR', 'EoWBmaSV6M', 's3BBAJGu12', 'HGmBHpVaHB', 'DhsBGUWtGf', 'CERBt1RBSx', 'L8nBJysbcb', 'm5ZB5rfHBf', 'D07Bb1hyOY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, tl9p6JFu1ULHBIHhTC.cs High entropy of concatenated method names: 'ic9A0Xs6mS', 'Wp2AvaY377', 'PNCmcH0IFA', 'llsmYILuEc', 'hU3mWwhb6P', 'eawmTcjilh', 'K0dmCikjuX', 'yu8mw6MAHW', 'WcFmodsO4C', 'eGPmLQl6ee'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, soqRI69n7sw2ajPtMW.cs High entropy of concatenated method names: 'MlfmOn7vm9', 'WJgmeimrmF', 't4dmVD715j', 'tVom9bLUu9', 'zQ7muoVhQt', 'NyYmg6fD3o', 'lramaylYXO', 'odRmB9FGcW', 'h80mXJWQIK', 'ztvm69yEQu'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, vxGZ4lpgxdYUpSrWVq.cs High entropy of concatenated method names: 'yWNa5vgET7', 'gqKabQ6Qk8', 'ToString', 'w7kaMkhU3p', 'Rnjaq0jjgR', 'Y4namiPD1j', 'yPNaA1hJrD', 'yjBaHVLIPJ', 'dLAaGF5fg4', 'uckatyYfWM'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, rMeTksd0q4hASIEF7p.cs High entropy of concatenated method names: 'PSm1HgPq0', 'eO3Ob3q7F', 'MnxewpW9B', 'RH8vyeCCp', 'PF89Cxr7l', 'edJFcsvho', 'hdDChJhJ6BHrA0dGWA', 'ilNFwVTvmhA6LxEyOC', 'gUiBmGYYx', 'RRi6fllCW'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, T2f5jkYbysOmyr2JBk.cs High entropy of concatenated method names: 'kG7HNQMmuo', 'XxWHUoo4m0', 'NdjH1S5DSd', 'RmqHOwEYlq', 'QEWHeix4GC', 'KuJHv3tSrR', 'GL4H9NAn0R', 'T2LHF1Cw69', 'z6hOb2mJYOrJLsBZ6Mf', 'CW9WM2m8r18GUyW4I5g'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, gSpCmqtxabgBVI8i5l.cs High entropy of concatenated method names: 'ixpIPx0Me5', 'krOIMR3b08', 'XIpIq0MoYg', 'QFJImjg2Q4', 'PDyIAcxJA9', 'RqhIHO76QJ', 'Ia9IGAJi1u', 'ekTItlBYsh', 'VBOIJnD0gT', 'iOUI5p6TTP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, N3hqEl418ZpQYWVLLh.cs High entropy of concatenated method names: 'ToString', 'UaSgZ5pK7E', 'UHng7PFhkW', 'WfbgcTyIND', 'WIxgYXuwr8', 'Ge5gWcfoQe', 'FnlgTe0Hod', 'zFCgCqikoC', 'SVwgwhtY5I', 'hXfgoOPTxU'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4eb4930.5.raw.unpack, jlfBUgkdWbfx37dOF6.cs High entropy of concatenated method names: 'p3UHPrWJA4', 'v9HHqL5ETY', 'vXTHAfRnuc', 'LYIHGX0iyq', 'j5QHtpwc2j', 'j4bAQk6fsV', 'm8wASNeJSb', 'n4yARJlyW6', 'JVKAn1mEiV', 'NE7AlWucSc'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, NdgYdto4tahmEQdqZr.cs High entropy of concatenated method names: 'wujGUvCZli', 'CNPGjSFaxs', 'KgCG1O3jbQ', 'oxbGOU92Y0', 'rLcG04B6Eb', 'GQUGeLGilw', 'muEGv61uCJ', 'GM6GVpyfuc', 'fOdG9CfZ0H', 'hSgGFO5gCm'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, dy4xLZhqMOhdrZ6HKG.cs High entropy of concatenated method names: 'HEDyGyDoaC', 'SXLyt6YvGn', 'sn7y5sw2aj', 'etMybWxl9p', 'dHhyuTCHlf', 'rUgygdWbfx', 'gy89CHUDnHLeakcNkg', 'WfW06Qb3N63ZJ9Tf0u', 'WAhyysbw69', 'YpiyIapCSY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, wOfryEKJFo7xTnyYSv.cs High entropy of concatenated method names: 'F7fiVyymFj', 'zUJi9n5SY7', 'qX6ik7juiX', 'vR6i7Ugoss', 'tgPiYpTfeB', 'BnOiWUeKvE', 'Jm6iCwr6wk', 'qXgiwHtkof', 'HweiL1PUBY', 'diGiZ0rU2I'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, hfNmbTDiry0or0Cyxa.cs High entropy of concatenated method names: 'XuIXyd7SfG', 'KqrXIyj7oA', 'Nu9Xhio5Mx', 'IQnXMCYN5K', 'XbKXqxiRaM', 'SKTXA8jELC', 'LfnXHl4PLh', 'tIhBRHRycB', 'sTJBng1kBo', 'gR1BlQXxcI'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, YyDoaCV4XL6YvGn57w.cs High entropy of concatenated method names: 'mP7q2i1brC', 'LwaqEyMtps', 'VDJq4CGnVp', 'osTqpD7yT9', 'PjQqQyapjh', 'CgVqS8l7cl', 'D4yqRX750Z', 'BOlqnyFkCP', 'kiBqlxWIDq', 'hHYqD8hsWT'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, bCBBcb25EVcefRsDTB.cs High entropy of concatenated method names: 'FkiuLdBiUB', 'Ch4uffEOIr', 'Rubu2yKRS5', 'xUouEc3xXp', 'Uo6u7cpP0j', 'UGeucbXH4r', 'nHkuYlwZVI', 'pR8uWWdpmN', 'HxBuTAS6EV', 'kEPuC6lR47'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, Ymx7jtyy97yLa3jx5ub.cs High entropy of concatenated method names: 'ToString', 'UVK6IMx5eb', 'aFo6hY7Eva', 'kgD6PogQ3n', 'N1D6Mm1wFm', 'zoC6qp1Pvu', 'smd6mhopIm', 'ziB6AZVSXO', 'gB35Ut0kkEAF1lk2bLD', 'a9bRQr0BFYqK30fgcuP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, wZo2QMqKw7NWpE8OiU.cs High entropy of concatenated method names: 'Dispose', 'ggwylWxY9v', 'zJRd7IJ2xV', 'PXc33GjkcH', 'GB5yD3PNTr', 'cD9yzxoElo', 'ProcessDialogKey', 'JihdsKUU8l', 'ARIdypHEHd', 'Kw9ddAfNmb'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, OOC7qVTGyde1j7I5Vv.cs High entropy of concatenated method names: 'u6JH4X5ceH', 'RRaHpRGq1l', 'u09HQBm7r9', 'ToString', 'ksOHSCAv6A', 'JfTHRyVrdv', 'CspdehmiLZD3D28aOEW', 'A5QjgZmvBcuCbdklAM7'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, N2L5uiyIVv4xjOCY30P.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'big62lAGVN', 'tQy6EFJLIk', 'ClS64YYCNl', 'QNn6pm2ab0', 'hNa6QKk4Wq', 'P8X6SsyHJ3', 'nJo6ROVNGa'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, j3gFaxSn1KuexmQWEK.cs High entropy of concatenated method names: 'jRsanDVJe8', 'fHaaDRYNnZ', 'zMqBshKMpm', 'hxIByuqX1o', 'mFZaZ24GQQ', 'o17af0BOIK', 'eF1aKKFbTR', 'nlra2Pw4fM', 'uaGaEbyqmO', 'vdGa4M0Ohj'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, dLhNXKysico8ZTaQFMI.cs High entropy of concatenated method names: 'EYDXUct3IS', 'GIVXj3pgyV', 'h1BX13fC9A', 'R74XODty0I', 'mUeX0IZbO5', 'aUhXewXhlU', 'gwMXvhZaun', 'LNZXVNsW4H', 'MbWX9bj8cC', 'ILoXFRgOyk'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, dKUU8ll0RIpHEHdTw9.cs High entropy of concatenated method names: 'xDRBkZFdYn', 'XiMB7aEW78', 'st7BcXnHkT', 'bOmBYZyPyQ', 'fKJB2SfX47', 'TQgBWC3TFp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, q53PNTnrID9xoEloWi.cs High entropy of concatenated method names: 'phEBMPYBkL', 'IZ3BqaxUNR', 'EoWBmaSV6M', 's3BBAJGu12', 'HGmBHpVaHB', 'DhsBGUWtGf', 'CERBt1RBSx', 'L8nBJysbcb', 'm5ZB5rfHBf', 'D07Bb1hyOY'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, tl9p6JFu1ULHBIHhTC.cs High entropy of concatenated method names: 'ic9A0Xs6mS', 'Wp2AvaY377', 'PNCmcH0IFA', 'llsmYILuEc', 'hU3mWwhb6P', 'eawmTcjilh', 'K0dmCikjuX', 'yu8mw6MAHW', 'WcFmodsO4C', 'eGPmLQl6ee'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, soqRI69n7sw2ajPtMW.cs High entropy of concatenated method names: 'MlfmOn7vm9', 'WJgmeimrmF', 't4dmVD715j', 'tVom9bLUu9', 'zQ7muoVhQt', 'NyYmg6fD3o', 'lramaylYXO', 'odRmB9FGcW', 'h80mXJWQIK', 'ztvm69yEQu'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, vxGZ4lpgxdYUpSrWVq.cs High entropy of concatenated method names: 'yWNa5vgET7', 'gqKabQ6Qk8', 'ToString', 'w7kaMkhU3p', 'Rnjaq0jjgR', 'Y4namiPD1j', 'yPNaA1hJrD', 'yjBaHVLIPJ', 'dLAaGF5fg4', 'uckatyYfWM'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, rMeTksd0q4hASIEF7p.cs High entropy of concatenated method names: 'PSm1HgPq0', 'eO3Ob3q7F', 'MnxewpW9B', 'RH8vyeCCp', 'PF89Cxr7l', 'edJFcsvho', 'hdDChJhJ6BHrA0dGWA', 'ilNFwVTvmhA6LxEyOC', 'gUiBmGYYx', 'RRi6fllCW'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, T2f5jkYbysOmyr2JBk.cs High entropy of concatenated method names: 'kG7HNQMmuo', 'XxWHUoo4m0', 'NdjH1S5DSd', 'RmqHOwEYlq', 'QEWHeix4GC', 'KuJHv3tSrR', 'GL4H9NAn0R', 'T2LHF1Cw69', 'z6hOb2mJYOrJLsBZ6Mf', 'CW9WM2m8r18GUyW4I5g'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, gSpCmqtxabgBVI8i5l.cs High entropy of concatenated method names: 'ixpIPx0Me5', 'krOIMR3b08', 'XIpIq0MoYg', 'QFJImjg2Q4', 'PDyIAcxJA9', 'RqhIHO76QJ', 'Ia9IGAJi1u', 'ekTItlBYsh', 'VBOIJnD0gT', 'iOUI5p6TTP'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, N3hqEl418ZpQYWVLLh.cs High entropy of concatenated method names: 'ToString', 'UaSgZ5pK7E', 'UHng7PFhkW', 'WfbgcTyIND', 'WIxgYXuwr8', 'Ge5gWcfoQe', 'FnlgTe0Hod', 'zFCgCqikoC', 'SVwgwhtY5I', 'hXfgoOPTxU'
Source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.7cd0000.7.raw.unpack, jlfBUgkdWbfx37dOF6.cs High entropy of concatenated method names: 'p3UHPrWJA4', 'v9HHqL5ETY', 'vXTHAfRnuc', 'LYIHGX0iyq', 'j5QHtpwc2j', 'j4bAQk6fsV', 'm8wASNeJSb', 'n4yARJlyW6', 'JVKAn1mEiV', 'NE7AlWucSc'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 3180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 3460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 3180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 83F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 93F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 95A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: A5A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: A900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: B900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: C900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 2960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: 4960000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599124 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598576 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596826 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596278 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594736 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594609 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5725 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4088 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Window / User API: threadDelayed 1585 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Window / User API: threadDelayed 8274 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 6452 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 772 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7076 Thread sleep count: 1585 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7076 Thread sleep count: 8274 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598576s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596826s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596278s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -594968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -594859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -594736s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe TID: 7036 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599124 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598576 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596826 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596278 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594736 Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Thread delayed: delay time: 594609 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000005.00000002.1964270059.0000000000C86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe, 00000000.00000002.1675498294.00000000014D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe"
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Memory written: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Process created: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe "C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f93dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe.4f73ba8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1963646151.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1677007999.0000000004F73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1965220734.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 6364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe PID: 7032, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523111 Sample: Rfq H2110-11#U3000Order_ROY... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 checkip.dyndns.org 2->28 30 checkip.dyndns.com 2->30 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 44 9 other signatures 2->44 8 Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 26->42 process4 file5 24 Rfq H2110-11#U3000...U65b0#Uff09.exe.log, ASCII 8->24 dropped 46 Adds a directory exclusion to Windows Defender 8->46 48 Injects a PE file into a foreign processes 8->48 12 powershell.exe 22 8->12         started        15 Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe 15 2 8->15         started        18 Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe 8->18         started        signatures6 process7 dnsIp8 50 Loading BitLocker PowerShell Module 12->50 20 conhost.exe 12->20         started        32 reallyfreegeoip.org 188.114.96.3, 443, 49734, 49736 CLOUDFLARENETUS European Union 15->32 34 checkip.dyndns.com 132.226.8.169, 49733, 49738, 49739 UTMEMUS United States 15->34 22 WerFault.exe 21 16 15->22         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown