Windows Analysis Report
RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe

Overview

General Information

Sample name: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Analysis ID: 1528230
MD5: 55846b937f549f2b9ee2994886a70c76
SHA1: 4bf34c453165bf2dfe1504bd1b1910d6533eba13
SHA256: 97c3e15446de0089faea027dc2ac15455fab29ce4442e889cfe41ed682dcfc19
Tags: exeuser-lowmal3
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7559518797:AAH0iLCZK1qo8bPJcFwB4ELZaxlgzaM3RR0/sendMessage?chat_id=5116181161", "Token": "7559518797:AAH0iLCZK1qo8bPJcFwB4ELZaxlgzaM3RR0", "Chat_id": "5116181161", "Version": "5.1"}
Multi AV Scanner detection for submitted file
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49716 version: TLS 1.0
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: etKP.pdbSHA256 source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: Binary string: etKP.pdb source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 07458839h 0_2_0745815C
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 0278FA39h 4_2_0278F778
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 0278E61Fh 4_2_0278E431
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 0278EFA9h 4_2_0278E431
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_0278D7F0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D88EDh 4_2_065D85B0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_065D3676
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D6119h 4_2_065D5E70
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D69C9h 4_2_065D6720
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D72A2h 4_2_065D6FF8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D76F9h 4_2_065D7450
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D0741h 4_2_065D0498
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D7FA9h 4_2_065D7D00
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D5869h 4_2_065D55C0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D5CC1h 4_2_065D5A18
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D6571h 4_2_065D62C8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_065D3350
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D6E21h 4_2_065D6B78
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_065D3360
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D02E9h 4_2_065D0040
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D0B99h 4_2_065D08F0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D7B51h 4_2_065D78A8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D8401h 4_2_065D8158
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4x nop then jmp 065D53E9h 4_2_065D5140

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49715 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49719 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49753 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49762 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49716 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe String found in binary or memory: http://ocsp.comodoca.com0
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2192543464.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002A97000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.orgp
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_011BD55C 0_2_011BD55C
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07459550 0_2_07459550
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07450040 0_2_07450040
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07453478 0_2_07453478
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07453040 0_2_07453040
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07450006 0_2_07450006
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07454F58 0_2_07454F58
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07456D88 0_2_07456D88
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07452C08 0_2_07452C08
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07452BCE 0_2_07452BCE
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_074538B0 0_2_074538B0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278B328 4_2_0278B328
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_02786108 4_2_02786108
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278C193 4_2_0278C193
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278F778 4_2_0278F778
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278C753 4_2_0278C753
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278C470 4_2_0278C470
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278E431 4_2_0278E431
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278CA33 4_2_0278CA33
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_02784AD9 4_2_02784AD9
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_02789858 4_2_02789858
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_02786880 4_2_02786880
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278BEB0 4_2_0278BEB0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278D7F0 4_2_0278D7F0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278D7E0 4_2_0278D7E0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_0278B4F3 4_2_0278B4F3
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DA600 4_2_065DA600
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DBF30 4_2_065DBF30
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D9FB0 4_2_065D9FB0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DAC48 4_2_065DAC48
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D0D48 4_2_065D0D48
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DC580 4_2_065DC580
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D85B0 4_2_065D85B0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DD218 4_2_065DD218
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DB290 4_2_065DB290
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DCBD0 4_2_065DCBD0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D8BF9 4_2_065D8BF9
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DB8E0 4_2_065DB8E0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D5E70 4_2_065D5E70
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D5E60 4_2_065D5E60
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D36D8 4_2_065D36D8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D6712 4_2_065D6712
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D6720 4_2_065D6720
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DBF20 4_2_065DBF20
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D6FF8 4_2_065D6FF8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D6FE8 4_2_065D6FE8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D9FA0 4_2_065D9FA0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D7450 4_2_065D7450
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D743F 4_2_065D743F
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DAC37 4_2_065DAC37
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D7CF0 4_2_065D7CF0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D0498 4_2_065D0498
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D0488 4_2_065D0488
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DC570 4_2_065DC570
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D7D00 4_2_065D7D00
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D0D39 4_2_065D0D39
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D55C0 4_2_065D55C0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DA5F0 4_2_065DA5F0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D55B1 4_2_065D55B1
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D85A4 4_2_065D85A4
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D5A18 4_2_065D5A18
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D5A08 4_2_065D5A08
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DD20A 4_2_065DD20A
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D62C8 4_2_065D62C8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DB281 4_2_065DB281
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D62B8 4_2_065D62B8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D3350 4_2_065D3350
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D6B78 4_2_065D6B78
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D6B69 4_2_065D6B69
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D3360 4_2_065D3360
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D43D8 4_2_065D43D8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DCBC0 4_2_065DCBC0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D2858 4_2_065D2858
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D2848 4_2_065D2848
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D0040 4_2_065D0040
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D0006 4_2_065D0006
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065DB8D0 4_2_065DB8D0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D08F0 4_2_065D08F0
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D08E1 4_2_065D08E1
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D7898 4_2_065D7898
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D78A8 4_2_065D78A8
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D8158 4_2_065D8158
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D8148 4_2_065D8148
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D5140 4_2_065D5140
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_065D5132 4_2_065D5132
PE / OLE file has an invalid certificate
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195944985.00000000073A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2191649237.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2192543464.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195703547.0000000007299000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000000.2148059033.00000000007A6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameetKP.exe, vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4612876475.00000000007B7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Binary or memory string: OriginalFilenameetKP.exe, vs RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Uses 32bit PE files
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, --.cs Base64 encoded string: 'UqC6YRsrrVEVxlNhM5FwjBtLqBVf6yxcO6vUDb7jXkO1yVIEJnIthqDp9nfDtEUH'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, --.cs Base64 encoded string: 'UqC6YRsrrVEVxlNhM5FwjBtLqBVf6yxcO6vUDb7jXkO1yVIEJnIthqDp9nfDtEUH'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, HqFxki3A1vCn5OMCLQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, HqFxki3A1vCn5OMCLQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.log Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Mutant created: \Sessions\1\BaseNamedObjects\gQHCoDCKrHyAq
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0py1rknh.fvk.ps1 Jump to behavior
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4616935987.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4615792687.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: etKP.pdbSHA256 source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe
Source: Binary string: etKP.pdb source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, Form1.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.7250000.4.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.2c549b8.0.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.cs .Net Code: Y6hSJL6GVT System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.cs .Net Code: Y6hSJL6GVT System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07458A71 pushfd ; retf 0_2_07458A7D
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 0_2_07458920 push esp; retf 0_2_0745892D
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Code function: 4_2_027824B9 push 8BFFFFFFh; retf 4_2_027824BF
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Static PE information: section name: .text entropy: 7.9840551385774425
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, apo4tjGCtihkWYaBkq.cs High entropy of concatenated method names: 'dZl0AWsseQ', 'P2H0w7l8jb', 'YE90GKAUT4', 'vqD0iHRMMw', 'k3G0vTZSmL', 'r0k0ETVBND', 'eSw04B4BsP', 'kv20XivkR1', 'MUq0OmjerS', 'HJC07HD9tB'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, jVySOoQiFl5ijC5bvT.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ip1xlawhcf', 'V07xI5SQqR', 'TqWxzLVFhB', 'KmNZhIZow7', 'FCyZdLGoJc', 'CF7Zxj2nKv', 'CmHZZxEErr', 'T016VvzLA7Luc0B6fB'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, cVfvXCCnrDwPHJracR.cs High entropy of concatenated method names: 'ToString', 'FbJLB1Akdp', 'YLPLvbrSwm', 'rZWLERFk4Q', 'DDVL4Mfmcv', 'HBWLXOTDAv', 'XOeLOQBdUp', 'EHqL7c06Q8', 'qROL8Sxd5j', 'MtgLKnVJbm'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, fOUQ8G7CnX9aHO2E5t.cs High entropy of concatenated method names: 'SZPRqChS4f', 'e4ORQMqfeD', 'No9RmBAQDd', 'e9cmIMujE8', 'QhDmzxbZIn', 'bYhRhg74iJ', 'IMPRdN278W', 'v7vRx96er8', 'cTeRZ93DBw', 'MyTRSeLg7A'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, Oq8qi9SKto8YMa4L7w.cs High entropy of concatenated method names: 'eJvdRqFxki', 'O1vd5Cn5OM', 'FkBd13c4kC', 'N8SduFUfXS', 'Ryid05cd9C', 'xaIdLA8EDm', 'Akh4cD5X1DAO8b69Co', 'TMZsaRbWsE65irKmFj', 'k9dddIHWJw', 'p6rdZd9r2X'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, FKxeljgkB3c4kCA8SF.cs High entropy of concatenated method names: 'HiTQT4IlYc', 'nHqQVcmxt9', 'Gc7Q3UDCTR', 'VMCQgOlgdb', 'FuTQ0KBS4M', 'rmJQLGGZLM', 'NB9Qsf01V6', 'y1sQtbniDT', 'wmMQeMsq8y', 'vu2QnDOL5p'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, zIlIBVFSdB3O1v84Na.cs High entropy of concatenated method names: 'GdWs1Lwu31', 'Yw9suAWu8J', 'ToString', 'HWasqtqSyB', 'ftMsfWoKXa', 'xSEsQotM50', 'tifsaCRnZD', 'CLOsmbjIxf', 'BJcsRil9Qp', 'oZRs5X4OP4'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, pc5ssqdZ5cWT47rXgGL.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Hs7nGP77Jb', 'q6qniCP72Q', 'BwxnCokAyQ', 'wPQnFGGqsh', 'bnunHaJu1o', 'cyMncanpLD', 'B26nkDJ0U9'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, iwbfPsILF4ICcoofS1.cs High entropy of concatenated method names: 'Bf6edURNa5', 'h01eZdICeR', 'vSdeSGdL1k', 'zVGeqBybBL', 'cD9efIVBfv', 'sFFeauxYlw', 'nARemibQDl', 'svqtkk46mi', 'OmCtpYPPuQ', 'v6stl82d9c'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, hkSTlC5RUL7xPxn3jU.cs High entropy of concatenated method names: 'lAwZDROfg4', 'CGtZqEGEwD', 'HpkZfjCnOM', 'ar5ZQmKxlW', 'K07ZaVsTvT', 'HUXZmTE91m', 'GXIZReyBRA', 'uXyZ5k1rXH', 'SyvZbbPbAH', 'yfiZ1ZXPvm'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, KmQX5edhJgJUquX2aT8.cs High entropy of concatenated method names: 'xgkeYFxkyh', 'KXbeNjfPbK', 'gp6eJdfKjo', 'CH8eTDSBdX', 'PGMe6pQjJJ', 'Mb0eVLU2J0', 'aARerdVw5J', 'arte3rG7Q8', 'DEOegerMhW', 'DegejlS9d3'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, mnmdGHp56L5W8OqTDh.cs High entropy of concatenated method names: 'qCFtq2tRd0', 'h7OtfyBnZD', 'b2HtQcov00', 'i6EtaTSgDb', 'MRptmMI2QM', 'qsJtR8mikH', 'BxVt5rCxMG', 'aYntby3RnW', 'D0Ct1Ni87j', 'QBBtu4xfoo'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, HqFxki3A1vCn5OMCLQ.cs High entropy of concatenated method names: 'mmTfGbTJdm', 'NG4fifQidI', 'u9nfCiCBsR', 'xW4fFym22j', 'KCwfHi2CUw', 'u6cfcdmCPE', 'xkBfkhpNkm', 'zjMfpraUMY', 'VPYflIUAEp', 'vfdfIgc8EX'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, XeM20Z9Mh8ST8agJyv.cs High entropy of concatenated method names: 'hury3o1dHJ', 'Yt5ygbHBSf', 'Mhey2Ja2CF', 'CuiyvTIj66', 'jpoy4P8Etp', 'AXjyX25m0P', 'za0y7xbk39', 'NJTy8N0as8', 'QDEyAMnftC', 'GHmyBkotxL'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, gVT1VJK1DmxfnaYGEv.cs High entropy of concatenated method names: 'KD9RYMROtL', 'C2GRNRtHJW', 'ncFRJBKHUY', 'MI0RTPISrw', 'uhwR6a4vto', 'RvcRV3ovaW', 'AKERrx1Qov', 'GcxR3Y3Kat', 'jYFRggV3fX', 'WdxRjC0An0'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, XupCdXxxQvoQy5ukXy.cs High entropy of concatenated method names: 'BGMJcL995', 'HHfTFbBTY', 'GIAVLKtj5', 't6crOnbuw', 'SG7grhd6p', 'KUnjyV8oT', 'zNC5AjrhMnVliFm3HQ', 'WWm9jOF214gB8jcQtv', 'QRNRELUBRceasGHVj1', 'hATte8mFP'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, b9CYaI2A8EDmtopdnv.cs High entropy of concatenated method names: 'H1QmDeycha', 'hrcmffaLEY', 'Cl5matF1JE', 'CVDmRqnfhP', 'vnpm5L1Uae', 'ChTaHWPNXK', 'xOeac9G3fO', 'Ni0akISwne', 'NFMap2PF4d', 'zeCalJ9doE'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, bDuuv3cRtAGalADw6V.cs High entropy of concatenated method names: 'Y9hspVywoE', 'xRVsI0oPqj', 'pcFth8TGWG', 'IW1tdDpTs9', 'cOGsBhW1gU', 'PCEswMbIQh', 'WFJs9HokDR', 'JjqsGWJyuj', 'SfVsicGrkH', 'JKcsCu3vhW'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, sxpQEYfyCHULBZAink.cs High entropy of concatenated method names: 'Dispose', 'mTAdlkJUbI', 'UrAxvZVM9U', 'NUZccobIT4', 'gundImdGH5', 'BL5dzW8OqT', 'ProcessDialogKey', 'ehBxhtsEg7', 'ye6xdjL2pM', 'SdjxxawbfP'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, ufXSgCjI4MNCpGyi5c.cs High entropy of concatenated method names: 'l1ca6bEpdV', 'bOuarKVoiU', 'mJyQE8Iesc', 'K4wQ4foiJ6', 'dWVQXCpGOm', 'WG6QOmRJPb', 'U5nQ7J7wFm', 'FFTQ8FENV7', 'nquQK5BfDW', 'nJoQAQALp8'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, apo4tjGCtihkWYaBkq.cs High entropy of concatenated method names: 'dZl0AWsseQ', 'P2H0w7l8jb', 'YE90GKAUT4', 'vqD0iHRMMw', 'k3G0vTZSmL', 'r0k0ETVBND', 'eSw04B4BsP', 'kv20XivkR1', 'MUq0OmjerS', 'HJC07HD9tB'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, jVySOoQiFl5ijC5bvT.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ip1xlawhcf', 'V07xI5SQqR', 'TqWxzLVFhB', 'KmNZhIZow7', 'FCyZdLGoJc', 'CF7Zxj2nKv', 'CmHZZxEErr', 'T016VvzLA7Luc0B6fB'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, cVfvXCCnrDwPHJracR.cs High entropy of concatenated method names: 'ToString', 'FbJLB1Akdp', 'YLPLvbrSwm', 'rZWLERFk4Q', 'DDVL4Mfmcv', 'HBWLXOTDAv', 'XOeLOQBdUp', 'EHqL7c06Q8', 'qROL8Sxd5j', 'MtgLKnVJbm'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, fOUQ8G7CnX9aHO2E5t.cs High entropy of concatenated method names: 'SZPRqChS4f', 'e4ORQMqfeD', 'No9RmBAQDd', 'e9cmIMujE8', 'QhDmzxbZIn', 'bYhRhg74iJ', 'IMPRdN278W', 'v7vRx96er8', 'cTeRZ93DBw', 'MyTRSeLg7A'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, Oq8qi9SKto8YMa4L7w.cs High entropy of concatenated method names: 'eJvdRqFxki', 'O1vd5Cn5OM', 'FkBd13c4kC', 'N8SduFUfXS', 'Ryid05cd9C', 'xaIdLA8EDm', 'Akh4cD5X1DAO8b69Co', 'TMZsaRbWsE65irKmFj', 'k9dddIHWJw', 'p6rdZd9r2X'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, FKxeljgkB3c4kCA8SF.cs High entropy of concatenated method names: 'HiTQT4IlYc', 'nHqQVcmxt9', 'Gc7Q3UDCTR', 'VMCQgOlgdb', 'FuTQ0KBS4M', 'rmJQLGGZLM', 'NB9Qsf01V6', 'y1sQtbniDT', 'wmMQeMsq8y', 'vu2QnDOL5p'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, zIlIBVFSdB3O1v84Na.cs High entropy of concatenated method names: 'GdWs1Lwu31', 'Yw9suAWu8J', 'ToString', 'HWasqtqSyB', 'ftMsfWoKXa', 'xSEsQotM50', 'tifsaCRnZD', 'CLOsmbjIxf', 'BJcsRil9Qp', 'oZRs5X4OP4'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, pc5ssqdZ5cWT47rXgGL.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Hs7nGP77Jb', 'q6qniCP72Q', 'BwxnCokAyQ', 'wPQnFGGqsh', 'bnunHaJu1o', 'cyMncanpLD', 'B26nkDJ0U9'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, iwbfPsILF4ICcoofS1.cs High entropy of concatenated method names: 'Bf6edURNa5', 'h01eZdICeR', 'vSdeSGdL1k', 'zVGeqBybBL', 'cD9efIVBfv', 'sFFeauxYlw', 'nARemibQDl', 'svqtkk46mi', 'OmCtpYPPuQ', 'v6stl82d9c'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, hkSTlC5RUL7xPxn3jU.cs High entropy of concatenated method names: 'lAwZDROfg4', 'CGtZqEGEwD', 'HpkZfjCnOM', 'ar5ZQmKxlW', 'K07ZaVsTvT', 'HUXZmTE91m', 'GXIZReyBRA', 'uXyZ5k1rXH', 'SyvZbbPbAH', 'yfiZ1ZXPvm'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, KmQX5edhJgJUquX2aT8.cs High entropy of concatenated method names: 'xgkeYFxkyh', 'KXbeNjfPbK', 'gp6eJdfKjo', 'CH8eTDSBdX', 'PGMe6pQjJJ', 'Mb0eVLU2J0', 'aARerdVw5J', 'arte3rG7Q8', 'DEOegerMhW', 'DegejlS9d3'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, mnmdGHp56L5W8OqTDh.cs High entropy of concatenated method names: 'qCFtq2tRd0', 'h7OtfyBnZD', 'b2HtQcov00', 'i6EtaTSgDb', 'MRptmMI2QM', 'qsJtR8mikH', 'BxVt5rCxMG', 'aYntby3RnW', 'D0Ct1Ni87j', 'QBBtu4xfoo'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, HqFxki3A1vCn5OMCLQ.cs High entropy of concatenated method names: 'mmTfGbTJdm', 'NG4fifQidI', 'u9nfCiCBsR', 'xW4fFym22j', 'KCwfHi2CUw', 'u6cfcdmCPE', 'xkBfkhpNkm', 'zjMfpraUMY', 'VPYflIUAEp', 'vfdfIgc8EX'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, XeM20Z9Mh8ST8agJyv.cs High entropy of concatenated method names: 'hury3o1dHJ', 'Yt5ygbHBSf', 'Mhey2Ja2CF', 'CuiyvTIj66', 'jpoy4P8Etp', 'AXjyX25m0P', 'za0y7xbk39', 'NJTy8N0as8', 'QDEyAMnftC', 'GHmyBkotxL'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, gVT1VJK1DmxfnaYGEv.cs High entropy of concatenated method names: 'KD9RYMROtL', 'C2GRNRtHJW', 'ncFRJBKHUY', 'MI0RTPISrw', 'uhwR6a4vto', 'RvcRV3ovaW', 'AKERrx1Qov', 'GcxR3Y3Kat', 'jYFRggV3fX', 'WdxRjC0An0'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, XupCdXxxQvoQy5ukXy.cs High entropy of concatenated method names: 'BGMJcL995', 'HHfTFbBTY', 'GIAVLKtj5', 't6crOnbuw', 'SG7grhd6p', 'KUnjyV8oT', 'zNC5AjrhMnVliFm3HQ', 'WWm9jOF214gB8jcQtv', 'QRNRELUBRceasGHVj1', 'hATte8mFP'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, b9CYaI2A8EDmtopdnv.cs High entropy of concatenated method names: 'H1QmDeycha', 'hrcmffaLEY', 'Cl5matF1JE', 'CVDmRqnfhP', 'vnpm5L1Uae', 'ChTaHWPNXK', 'xOeac9G3fO', 'Ni0akISwne', 'NFMap2PF4d', 'zeCalJ9doE'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, bDuuv3cRtAGalADw6V.cs High entropy of concatenated method names: 'Y9hspVywoE', 'xRVsI0oPqj', 'pcFth8TGWG', 'IW1tdDpTs9', 'cOGsBhW1gU', 'PCEswMbIQh', 'WFJs9HokDR', 'JjqsGWJyuj', 'SfVsicGrkH', 'JKcsCu3vhW'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, sxpQEYfyCHULBZAink.cs High entropy of concatenated method names: 'Dispose', 'mTAdlkJUbI', 'UrAxvZVM9U', 'NUZccobIT4', 'gundImdGH5', 'BL5dzW8OqT', 'ProcessDialogKey', 'ehBxhtsEg7', 'ye6xdjL2pM', 'SdjxxawbfP'
Source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.73a0000.5.raw.unpack, ufXSgCjI4MNCpGyi5c.cs High entropy of concatenated method names: 'l1ca6bEpdV', 'bOuarKVoiU', 'mJyQE8Iesc', 'K4wQ4foiJ6', 'dWVQXCpGOm', 'WG6QOmRJPb', 'U5nQ7J7wFm', 'FFTQ8FENV7', 'nquQK5BfDW', 'nJoQAQALp8'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 1110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 2C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 1110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 7800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 8800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 89A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 99A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 2740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: 4940000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598888 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597905 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597139 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597030 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596593 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596482 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596134 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595904 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595283 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595046 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594936 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594608 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594500 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594390 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594281 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594171 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594061 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 593843 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6194 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3616 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Window / User API: threadDelayed 2008 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Window / User API: threadDelayed 7837 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 5200 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 6108 Thread sleep count: 2008 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 6108 Thread sleep count: 7837 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598888s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597905s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -597030s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596482s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596134s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -595904s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -595283s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -595156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -595046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594936s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594608s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -594061s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -593953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe TID: 3620 Thread sleep time: -593843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598888 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597905 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597139 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 597030 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596593 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596482 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596265 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596134 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595904 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595283 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 595046 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594936 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594608 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594500 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594390 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594281 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594171 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 594061 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Thread delayed: delay time: 593843 Jump to behavior
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195703547.0000000007270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000000.00000002.2195703547.0000000007270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe, 00000004.00000002.4613235913.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe"
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Memory written: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Process created: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe "C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4615792687.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3d0e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3c8bb90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe.3ceddb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4612202032.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4615792687.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2193920589.0000000003C87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4615792687.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe PID: 6248, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528230 Sample: RFQ Ref. No CRCCRFQHAFJIHDG... Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 22 reallyfreegeoip.org 2->22 24 checkip.dyndns.org 2->24 26 checkip.dyndns.com 2->26 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 40 9 other signatures 2->40 8 RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe 4 2->8         started        signatures3 38 Tries to detect the country of the analysis system (by using the IP) 22->38 process4 file5 20 RFQ Ref. No CRCCRF...001 REV.01..exe.log, ASCII 8->20 dropped 42 Adds a directory exclusion to Windows Defender 8->42 44 Injects a PE file into a foreign processes 8->44 12 RFQ Ref. No CRCCRFQHAFJIHDG2-KSU001 REV.01..exe 15 2 8->12         started        16 powershell.exe 21 8->16         started        signatures6 process7 dnsIp8 28 reallyfreegeoip.org 188.114.97.3, 443, 49716, 49719 CLOUDFLARENETUS European Union 12->28 30 checkip.dyndns.com 193.122.6.168, 49715, 49720, 49728 ORACLE-BMC-31898US United States 12->30 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal browser information (history, passwords, etc) 12->48 50 Loading BitLocker PowerShell Module 16->50 18 conhost.exe 16->18         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown