Windows Analysis Report
RFQ__363564546 -PO.exe

Overview

General Information

Sample name: RFQ__363564546 -PO.exe
Analysis ID: 1417012
MD5: 4c1c86fd8a3fb71ea451791806dbfbe7
SHA1: 03fdc8ce41feeac7b7a0d8bf1858f1385272d12b
SHA256: cd477b7ce28707ff2a532ddf8054f743f0a5ac7cf31a01ae96fe55e089f82955
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.ag-tr.com", "Username": "order@ag-tr.com", "Password": "At.070773"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Virustotal: Detection: 33% Perma Link
Multi AV Scanner detection for submitted file
Source: RFQ__363564546 -PO.exe ReversingLabs: Detection: 28%
Source: RFQ__363564546 -PO.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ__363564546 -PO.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RFQ__363564546 -PO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: RFQ__363564546 -PO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: sxQr.pdbSHA256 source: RFQ__363564546 -PO.exe, wBeZBSZ.exe.4.dr
Source: Binary string: sxQr.pdb source: RFQ__363564546 -PO.exe, wBeZBSZ.exe.4.dr

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 185.111.247.38:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.111.247.38 185.111.247.38
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 185.111.247.38:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.000000000304E000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ag-tr.com
Source: wBeZBSZ.exe, 00000007.00000002.2219082832.0000000006AA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.000000000304E000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002C41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.ag-tr.com
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4479946251.0000000008980000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4464575618.0000000006624000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.000000000304E000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.0000000001666000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DC5000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4462044198.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DB0000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4479946251.0000000008980000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4464575618.0000000006624000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.000000000304E000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.0000000001666000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DC5000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4462044198.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DB0000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RFQ__363564546 -PO.exe, 00000000.00000002.1999641556.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000006.00000002.2160423220.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.0000000003161000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000009.00000002.2232582254.0000000002764000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ__363564546 -PO.exe, wBeZBSZ.exe.4.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd-Dodanie
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4479946251.0000000008980000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4464575618.0000000006624000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4479946251.0000000008A2D000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.000000000304E000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.0000000001666000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DC5000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4462044198.00000000061FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4479946251.0000000008980000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000E21000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4464575618.0000000006624000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.000000000304E000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.0000000001666000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DC5000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4462044198.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4483145781.0000000009DB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000004861000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000006.00000002.2161745912.0000000004091000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2210664065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wBeZBSZ.exe, 00000009.00000002.2238725091.0000000003A32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000004861000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000006.00000002.2161745912.0000000004091000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2210664065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.0000000003161000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000009.00000002.2238725091.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.0000000003161000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2213525634.0000000003161000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4444960977.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, 8AYyiOU7.cs .Net Code: IbUqqbb28Ne
Source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, 8AYyiOU7.cs .Net Code: IbUqqbb28Ne
Installs a global keyboard hook
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RFQ__363564546 -PO.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.wBeZBSZ.exe.3a6d2a0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.wBeZBSZ.exe.40cc638.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.wBeZBSZ.exe.40cc638.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.wBeZBSZ.exe.3a6d2a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.wBeZBSZ.exe.3a32480.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.wBeZBSZ.exe.3a32480.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.wBeZBSZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.wBeZBSZ.exe.4091818.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.wBeZBSZ.exe.4091818.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ__363564546 -PO.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_010DE2FC 0_2_010DE2FC
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_05D29A18 0_2_05D29A18
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_05D29A0B 0_2_05D29A0B
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07315769 0_2_07315769
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07310630 0_2_07310630
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07311358 0_2_07311358
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_0731E3E0 0_2_0731E3E0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07314D78 0_2_07314D78
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07311348 0_2_07311348
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_0731A270 0_2_0731A270
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_0731A280 0_2_0731A280
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07313170 0_2_07313170
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_073181D8 0_2_073181D8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_073181C8 0_2_073181C8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_0731001F 0_2_0731001F
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07310040 0_2_07310040
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07313E02 0_2_07313E02
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07314D68 0_2_07314D68
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07317DA0 0_2_07317DA0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07317D92 0_2_07317D92
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07317930 0_2_07317930
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_073198D0 0_2_073198D0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB4598 0_2_07AB4598
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB59DF 0_2_07AB59DF
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB4740 0_2_07AB4740
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB6598 0_2_07AB6598
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB6303 0_2_07AB6303
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB6310 0_2_07AB6310
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07ABD978 0_2_07ABD978
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_0ACA0040 0_2_0ACA0040
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_02AB41D8 4_2_02AB41D8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_02AB4AA8 4_2_02AB4AA8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_02ABA8A8 4_2_02ABA8A8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_02ABE971 4_2_02ABE971
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_02AB3E90 4_2_02AB3E90
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_0688B22B 4_2_0688B22B
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06883490 4_2_06883490
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06887D80 4_2_06887D80
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_0688C198 4_2_0688C198
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_068855D0 4_2_068855D0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_068865F0 4_2_068865F0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_068876A0 4_2_068876A0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_0688E3A8 4_2_0688E3A8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06885CDF 4_2_06885CDF
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06880040 4_2_06880040
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06971B98 4_2_06971B98
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06971BA8 4_2_06971BA8
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06880007 4_2_06880007
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_010FE2FC 6_2_010FE2FC
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_060B9A18 6_2_060B9A18
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_060B9A0A 6_2_060B9A0A
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06154598 6_2_06154598
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_061559DF 6_2_061559DF
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06154740 6_2_06154740
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06156598 6_2_06156598
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06156310 6_2_06156310
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06156302 6_2_06156302
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_0615D978 6_2_0615D978
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07640630 6_2_07640630
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07641358 6_2_07641358
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07644D78 6_2_07644D78
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_0764DCF0 6_2_0764DCF0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07641348 6_2_07641348
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_0764A280 6_2_0764A280
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_076481C8 6_2_076481C8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_076481D8 6_2_076481D8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07640040 6_2_07640040
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07640022 6_2_07640022
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07644D68 6_2_07644D68
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07647DA0 6_2_07647DA0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_07647D90 6_2_07647D90
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_0764FAB8 6_2_0764FAB8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_076498D0 6_2_076498D0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_015C4AA8 7_2_015C4AA8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_015C3E90 7_2_015C3E90
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_015C41D8 7_2_015C41D8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_015CABE8 7_2_015CABE8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E857C0 7_2_06E857C0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E83490 7_2_06E83490
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E8B449 7_2_06E8B449
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E865F0 7_2_06E865F0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E87D80 7_2_06E87D80
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E8C198 7_2_06E8C198
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E876A0 7_2_06E876A0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06F71BA2 7_2_06F71BA2
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06F71BA8 7_2_06F71BA8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_0268E2FC 9_2_0268E2FC
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B70640 9_2_06B70640
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B71358 9_2_06B71358
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B7DCE9 9_2_06B7DCE9
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B74D78 9_2_06B74D78
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B7A280 9_2_06B7A280
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B71348 9_2_06B71348
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B70006 9_2_06B70006
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B70040 9_2_06B70040
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B781D8 9_2_06B781D8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B77DA0 9_2_06B77DA0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B77D90 9_2_06B77D90
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B74D68 9_2_06B74D68
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B7FAC0 9_2_06B7FAC0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B798D0 9_2_06B798D0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 9_2_06B77968 9_2_06B77968
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_029A41D8 10_2_029A41D8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_029A4AA8 10_2_029A4AA8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_029AE851 10_2_029AE851
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_029A3E90 10_2_029A3E90
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_06703490 10_2_06703490
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_067065F0 10_2_067065F0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_067055D0 10_2_067055D0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_06707D80 10_2_06707D80
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_0670B22A 10_2_0670B22A
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_0670C198 10_2_0670C198
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_067076A0 10_2_067076A0
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_06705CDF 10_2_06705CDF
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_0670E3A8 10_2_0670E3A8
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_06700040 10_2_06700040
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_06700007 10_2_06700007
Sample file is different than original file name gathered from version info
Source: RFQ__363564546 -PO.exe, 00000000.00000002.2002364655.0000000007BD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ__363564546 -PO.exe
Source: RFQ__363564546 -PO.exe, 00000000.00000002.1999641556.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename3c2400ab-26c0-4cb7-b5bc-9c82dbc4c201.exe4 vs RFQ__363564546 -PO.exe
Source: RFQ__363564546 -PO.exe, 00000000.00000002.1998574802.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RFQ__363564546 -PO.exe
Source: RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename3c2400ab-26c0-4cb7-b5bc-9c82dbc4c201.exe4 vs RFQ__363564546 -PO.exe
Source: RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ__363564546 -PO.exe
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4441735916.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ__363564546 -PO.exe
Source: RFQ__363564546 -PO.exe Binary or memory string: OriginalFilenamesxQr.exeD vs RFQ__363564546 -PO.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Section loaded: windowscodecs.dll
Uses 32bit PE files
Source: RFQ__363564546 -PO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.wBeZBSZ.exe.3a6d2a0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.wBeZBSZ.exe.40cc638.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.wBeZBSZ.exe.40cc638.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.wBeZBSZ.exe.3a6d2a0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.wBeZBSZ.exe.3a32480.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.wBeZBSZ.exe.3a32480.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.wBeZBSZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.wBeZBSZ.exe.4091818.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.wBeZBSZ.exe.4091818.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: RFQ__363564546 -PO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, pedwBeAo9.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, Mi6W.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, s0nDliRGT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, UGDeyt2ww1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, xpue.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, u4JW9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, EBT4fOCjU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, YiLXwmZk4RXUf517vf.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, YiLXwmZk4RXUf517vf.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, YiLXwmZk4RXUf517vf.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, ItmMcx3wbxxmt3sBET.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, YiLXwmZk4RXUf517vf.cs Security API names: _0020.SetAccessControl
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, YiLXwmZk4RXUf517vf.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, YiLXwmZk4RXUf517vf.cs Security API names: _0020.AddAccessRule
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, ItmMcx3wbxxmt3sBET.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ__363564546 -PO.exe.72b0000.7.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.RFQ__363564546 -PO.exe.2c4a950.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.RFQ__363564546 -PO.exe.2c52968.2.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/9@2/2
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ__363564546 -PO.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Mutant created: \Sessions\1\BaseNamedObjects\vbXZNcQKpJNFOyqfXnwv
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3znxm2le.j4c.ps1 Jump to behavior
Source: RFQ__363564546 -PO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ__363564546 -PO.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ__363564546 -PO.exe ReversingLabs: Detection: 28%
Source: RFQ__363564546 -PO.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File read: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ__363564546 -PO.exe "C:\Users\user\Desktop\RFQ__363564546 -PO.exe"
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ__363564546 -PO.exe"
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Users\user\Desktop\RFQ__363564546 -PO.exe "C:\Users\user\Desktop\RFQ__363564546 -PO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe"
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe"
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe"
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ__363564546 -PO.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Users\user\Desktop\RFQ__363564546 -PO.exe "C:\Users\user\Desktop\RFQ__363564546 -PO.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe"
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: RFQ__363564546 -PO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ__363564546 -PO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: RFQ__363564546 -PO.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: sxQr.pdbSHA256 source: RFQ__363564546 -PO.exe, wBeZBSZ.exe.4.dr
Source: Binary string: sxQr.pdb source: RFQ__363564546 -PO.exe, wBeZBSZ.exe.4.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: RFQ__363564546 -PO.exe, frm_main.cs .Net Code: InitializeComponent
Source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, I1Ds3abkUA5mh3kywv.cs .Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, YiLXwmZk4RXUf517vf.cs .Net Code: BpNcQev41U System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, I1Ds3abkUA5mh3kywv.cs .Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, YiLXwmZk4RXUf517vf.cs .Net Code: BpNcQev41U System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: RFQ__363564546 -PO.exe Static PE information: 0xB89F1D06 [Sat Feb 25 22:43:18 2068 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_05D27D08 pushfd ; iretd 0_2_05D27D09
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_05D25F70 push eax; ret 0_2_05D25F79
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_07AB9BAC push cs; retf 0_2_07AB9BAF
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_02AB0C3D push edi; ret 4_2_02AB0CC2
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_0697A64F push ebp; ret 4_2_0697A6B3
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06976D6E push 00000006h; ret 4_2_06976D70
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_0697B4A1 push es; ret 4_2_0697B4B0
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06977120 push esp; iretd 4_2_06977129
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_06977D5C push esp; iretd 4_2_06977D65
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 4_2_0697BD41 push esp; ret 4_2_0697BD94
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_060B5F70 push eax; ret 6_2_060B5F79
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_060B7D08 pushfd ; iretd 6_2_060B7D09
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06159BAC push cs; retf 6_2_06159BAF
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 6_2_06156070 push es; iretd 6_2_0615607C
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_015C0B4D push edi; ret 7_2_015C0CC2
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_015C0C95 push edi; retf 7_2_015C0C3A
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E8B449 push ds; retf 5506h 7_2_06E8BA16
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E85F0E push FFFFFF8Bh; iretd 7_2_06E85F10
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06E81535 pushfd ; ret 7_2_06E81540
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06F76D6F push es; ret 7_2_06F76D70
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06F77120 push esp; iretd 7_2_06F77129
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 7_2_06F77D5C push esp; iretd 7_2_06F77D65
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_029A0C95 push edi; retf 10_2_029A0C3A
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Code function: 10_2_029A0C3D push edi; ret 10_2_029A0CC2
Source: RFQ__363564546 -PO.exe Static PE information: section name: .text entropy: 7.938780694905836
Source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, R87QTajabri3WprdxA.cs High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, I1Ds3abkUA5mh3kywv.cs High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, QEHxtuXFnnkJABhbAo.cs High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, KOKtnKz1LPV1nJ6SBW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QkmgTq2mmt', 'g67gD7TQV9', 'MAugBbdhHv', 'bSugi75nwZ', 'ERJg90shc9', 'AVQggiQNlV', 'DNTgNue7XA'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, UXuZVTHMbqv2yWGmdY.cs High entropy of concatenated method names: 'DW7O6I457o', 'c1BOH4plYT', 'LfEOu0fCp4', 'UE0OobPkIt', 'gFpOt4653t', 'CffumprTeM', 'zI0udaj3yh', 'SQvulRMSvf', 'viSuXFc3r0', 'C5GuWFs1o2'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, F1kui0hHXltUj8XoEp.cs High entropy of concatenated method names: 'Fhbp4MBeLF', 'mmIpa4hmbw', 'g5DpwCvCMa', 'lcopGthAfD', 'mwVpDf6JJa', 'xF2pBU9Gqq', 'dVxpiaHdqg', 'aYTp9J4fK8', 'Rm6pge74no', 'xcfpNtXen9'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, lD6X0UONIYNOg5BJGy.cs High entropy of concatenated method names: 'Dispose', 'VwiPWfKbwy', 'rKT1nVtGtY', 'z4MrrUScjj', 'i6fPJDXP7t', 'es3PzgIaxQ', 'ProcessDialogKey', 'O6j1I8Mj5O', 'nVe1POoiQX', 'qYx11jKDev'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, sMpq8MgxBtmfQc7hVZ.cs High entropy of concatenated method names: 'jqNiXmQRsq', 'X0fiJJ7VKE', 'Q2t9I6D2KA', 'CuT9PJEYxy', 'mh4iE4pBMV', 'Tt1ijnQgaP', 'CLciLrcIDv', 'p3fiAxrV2S', 'vjri5yOWn7', 'L2hiZxOINu'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, lxHXRBKLGGyovfHHfNo.cs High entropy of concatenated method names: 'GL4gVRWWu3', 'EpMgUKfA0Q', 'eh0gQypSSD', 'l3Ig4NwtKG', 'W98gfig7kT', 'GBvga6YIct', 'PTwgyXRKky', 'JQNgwh7RlO', 'DnBgGHmC8o', 'jsqgCuv5SM'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, wK4Q4J7UygAoyBA9eb.cs High entropy of concatenated method names: 'ToString', 'zuaBEbp5FT', 'gatBn7YhnV', 'YMXBehEIF4', 'vOuBveEdjK', 'RBiBSgu916', 'jQrB0Tp2vM', 'Vv1BxW6AJ8', 'PMoBkZECO3', 'PsBBMWlBjP'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, y1MWdM8pFPBe1AIgHb.cs High entropy of concatenated method names: 'tmODqZDgH2', 'vErDjFLDIL', 'CX2DAnaghG', 'IAWD5XWLG8', 'wZrDnHfUH9', 'iV9DeGZa1U', 'b29DvVy5yC', 'AkcDSiCgyC', 'yf1D0DWRrp', 'MapDxLtml7'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, PqqPaF2KJZBZrI6lDe.cs High entropy of concatenated method names: 'gGL9Ryt964', 'gJ09nNRqnY', 'epV9e68xG0', 'wIe9vyN6O2', 'Vfp9AhTHMc', 'oOW9SHJC3Y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, Ktk1vusll3dfUKxdGp.cs High entropy of concatenated method names: 'XSii2BAGmV', 'a18i8xi6Wk', 'ToString', 'HFOiKf0pkJ', 'N9SiHtHdng', 'rTPipuCoRm', 'zoOiuywOMY', 'R0YiOQH7Zt', 'xuPiop3Wjl', 'AL7itQXEvZ'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, WRb1s5pjjAsAn4xUXJ.cs High entropy of concatenated method names: 'eQDO3HEvyJ', 'M3vOVRScUm', 'C2XOQZuIcj', 'Th1O4KAuN3', 'K1lOa3kRid', 'o9eOyhQj0A', 'qfWOGuFr4I', 'EuIOCKSnMu', 'h6M9lck6i72p4FT0BGb', 'fsO8g0kV0Wm37ykk6AP'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, bYdBSCSMI6BraqGUna.cs High entropy of concatenated method names: 'FGmTwqF6ib', 'ytGTGi2DhM', 'RNjTRU2PN7', 'ufwTneTlkP', 'n3hTvBSFwt', 'YKVTSoIGWw', 'UHoTxCjL7k', 'HiPTkdUs2O', 'i8aTqxSoSX', 'LnFTET4RbM'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, VbVLtk5sBaVsZ6XJMf.cs High entropy of concatenated method names: 'lneQSndKQ', 'kxM4KYsy2', 'rIJaAXdwp', 'IYBybFYlq', 'TVHGtWXXW', 'FJGClgYqW', 'n6Ay5BCfw2mfgSYwHv', 'fTgS5YX43qJYBTjsST', 't9l9wiU3S', 'uhuNmTmyB'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, pTccDuW5VDOiXFTnJm.cs High entropy of concatenated method names: 'FjPufT73mp', 'nCMuyNDweH', 'g18pesvpF2', 'KhQpv84SIj', 'lWMpSoDlGf', 'tNep0ol6Fn', 'xgipxjSOtq', 'aUApk6OutZ', 'S0kpMdoymR', 'vFfpquZ1kS'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, YiLXwmZk4RXUf517vf.cs High entropy of concatenated method names: 'ngHs6lUVg8', 'dhdsKfwxdh', 'ByosHeEhUU', 'Lt3spqmCQN', 'CZCsudcRK4', 'YQksOpHvcw', 'QdXso0ZYKy', 'NnBstQeqKH', 'eCXsFId9sK', 'TFIs23Is7F'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, QbvwgO6baIslv2fkor.cs High entropy of concatenated method names: 'pkkPoTjvJF', 'msZPtow8Ep', 'xpvP20Ifbh', 'CkuP8IkahF', 'Og6PDsiTUD', 'XXPPBooyj6', 'aFvfpxZae16VGkqojr', 'aCNEd3hAUD24Cpitj5', 'PyCPPpQdYR', 'jsvPsL88S8'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, mJjOINbjCUXmjjhSBk.cs High entropy of concatenated method names: 'zA3gP9QYd2', 'dQlgsy9s0i', 'tjbgcn8C5D', 'jbrgKSVZTw', 'IbkgHQxkU0', 'oIJguYFL9S', 'nmBgO6El5p', 'iHB9l7y8Wl', 'RWj9XmLlx3', 'mSH9WASRDk'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, x49NvsDgedfoD3UMxg.cs High entropy of concatenated method names: 'v7K9K4CUdV', 'Eek9HdG24B', 'xkR9pEwLfZ', 'FV99u4PYLV', 'hQf9OvbF6Q', 'WYm9oc7rh6', 'wZr9tNY5SI', 'qiQ9F4HP1n', 'uRZ92qYujM', 'Kqw98faZdY'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, ItmMcx3wbxxmt3sBET.cs High entropy of concatenated method names: 'qxyHAt4jnK', 'cCiH58LUBL', 'MPhHZgYdwg', 'neiHbUg0JP', 'X01HmcFJHy', 'vW4HdLGsn8', 'CkDHlUHjyx', 'OjvHXEydnx', 'XJYHW6JqH1', 'QWRHJlkyCw'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, gQWb4ZKwxAMPxxMh9p3.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mYcNAcdmkw', 'QWGN5TfP7w', 'NWoNZ94XNL', 'cAXNb8sGig', 'TPHNmrQjKc', 'RuxNdSRpIj', 'w4ZNlZpdEX'
Source: 0.2.RFQ__363564546 -PO.exe.3fe56e0.3.raw.unpack, i69b0FxdmOZ6rNMXT1.cs High entropy of concatenated method names: 'cxjoVR9vgL', 'nVXoUUFJoc', 'anOoQ4bLoc', 'cmFo455etB', 'HOIofn00P2', 'NBeoaePWRo', 'omooyn5eGA', 'nD9owoV9Gf', 'mMZoGuFJLk', 'VusoCdhYXF'
Source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, R87QTajabri3WprdxA.cs High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, I1Ds3abkUA5mh3kywv.cs High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, QEHxtuXFnnkJABhbAo.cs High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, KOKtnKz1LPV1nJ6SBW.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QkmgTq2mmt', 'g67gD7TQV9', 'MAugBbdhHv', 'bSugi75nwZ', 'ERJg90shc9', 'AVQggiQNlV', 'DNTgNue7XA'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, UXuZVTHMbqv2yWGmdY.cs High entropy of concatenated method names: 'DW7O6I457o', 'c1BOH4plYT', 'LfEOu0fCp4', 'UE0OobPkIt', 'gFpOt4653t', 'CffumprTeM', 'zI0udaj3yh', 'SQvulRMSvf', 'viSuXFc3r0', 'C5GuWFs1o2'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, F1kui0hHXltUj8XoEp.cs High entropy of concatenated method names: 'Fhbp4MBeLF', 'mmIpa4hmbw', 'g5DpwCvCMa', 'lcopGthAfD', 'mwVpDf6JJa', 'xF2pBU9Gqq', 'dVxpiaHdqg', 'aYTp9J4fK8', 'Rm6pge74no', 'xcfpNtXen9'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, lD6X0UONIYNOg5BJGy.cs High entropy of concatenated method names: 'Dispose', 'VwiPWfKbwy', 'rKT1nVtGtY', 'z4MrrUScjj', 'i6fPJDXP7t', 'es3PzgIaxQ', 'ProcessDialogKey', 'O6j1I8Mj5O', 'nVe1POoiQX', 'qYx11jKDev'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, sMpq8MgxBtmfQc7hVZ.cs High entropy of concatenated method names: 'jqNiXmQRsq', 'X0fiJJ7VKE', 'Q2t9I6D2KA', 'CuT9PJEYxy', 'mh4iE4pBMV', 'Tt1ijnQgaP', 'CLciLrcIDv', 'p3fiAxrV2S', 'vjri5yOWn7', 'L2hiZxOINu'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, lxHXRBKLGGyovfHHfNo.cs High entropy of concatenated method names: 'GL4gVRWWu3', 'EpMgUKfA0Q', 'eh0gQypSSD', 'l3Ig4NwtKG', 'W98gfig7kT', 'GBvga6YIct', 'PTwgyXRKky', 'JQNgwh7RlO', 'DnBgGHmC8o', 'jsqgCuv5SM'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, wK4Q4J7UygAoyBA9eb.cs High entropy of concatenated method names: 'ToString', 'zuaBEbp5FT', 'gatBn7YhnV', 'YMXBehEIF4', 'vOuBveEdjK', 'RBiBSgu916', 'jQrB0Tp2vM', 'Vv1BxW6AJ8', 'PMoBkZECO3', 'PsBBMWlBjP'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, y1MWdM8pFPBe1AIgHb.cs High entropy of concatenated method names: 'tmODqZDgH2', 'vErDjFLDIL', 'CX2DAnaghG', 'IAWD5XWLG8', 'wZrDnHfUH9', 'iV9DeGZa1U', 'b29DvVy5yC', 'AkcDSiCgyC', 'yf1D0DWRrp', 'MapDxLtml7'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, PqqPaF2KJZBZrI6lDe.cs High entropy of concatenated method names: 'gGL9Ryt964', 'gJ09nNRqnY', 'epV9e68xG0', 'wIe9vyN6O2', 'Vfp9AhTHMc', 'oOW9SHJC3Y', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, Ktk1vusll3dfUKxdGp.cs High entropy of concatenated method names: 'XSii2BAGmV', 'a18i8xi6Wk', 'ToString', 'HFOiKf0pkJ', 'N9SiHtHdng', 'rTPipuCoRm', 'zoOiuywOMY', 'R0YiOQH7Zt', 'xuPiop3Wjl', 'AL7itQXEvZ'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, WRb1s5pjjAsAn4xUXJ.cs High entropy of concatenated method names: 'eQDO3HEvyJ', 'M3vOVRScUm', 'C2XOQZuIcj', 'Th1O4KAuN3', 'K1lOa3kRid', 'o9eOyhQj0A', 'qfWOGuFr4I', 'EuIOCKSnMu', 'h6M9lck6i72p4FT0BGb', 'fsO8g0kV0Wm37ykk6AP'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, bYdBSCSMI6BraqGUna.cs High entropy of concatenated method names: 'FGmTwqF6ib', 'ytGTGi2DhM', 'RNjTRU2PN7', 'ufwTneTlkP', 'n3hTvBSFwt', 'YKVTSoIGWw', 'UHoTxCjL7k', 'HiPTkdUs2O', 'i8aTqxSoSX', 'LnFTET4RbM'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, VbVLtk5sBaVsZ6XJMf.cs High entropy of concatenated method names: 'lneQSndKQ', 'kxM4KYsy2', 'rIJaAXdwp', 'IYBybFYlq', 'TVHGtWXXW', 'FJGClgYqW', 'n6Ay5BCfw2mfgSYwHv', 'fTgS5YX43qJYBTjsST', 't9l9wiU3S', 'uhuNmTmyB'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, pTccDuW5VDOiXFTnJm.cs High entropy of concatenated method names: 'FjPufT73mp', 'nCMuyNDweH', 'g18pesvpF2', 'KhQpv84SIj', 'lWMpSoDlGf', 'tNep0ol6Fn', 'xgipxjSOtq', 'aUApk6OutZ', 'S0kpMdoymR', 'vFfpquZ1kS'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, YiLXwmZk4RXUf517vf.cs High entropy of concatenated method names: 'ngHs6lUVg8', 'dhdsKfwxdh', 'ByosHeEhUU', 'Lt3spqmCQN', 'CZCsudcRK4', 'YQksOpHvcw', 'QdXso0ZYKy', 'NnBstQeqKH', 'eCXsFId9sK', 'TFIs23Is7F'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, QbvwgO6baIslv2fkor.cs High entropy of concatenated method names: 'pkkPoTjvJF', 'msZPtow8Ep', 'xpvP20Ifbh', 'CkuP8IkahF', 'Og6PDsiTUD', 'XXPPBooyj6', 'aFvfpxZae16VGkqojr', 'aCNEd3hAUD24Cpitj5', 'PyCPPpQdYR', 'jsvPsL88S8'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, mJjOINbjCUXmjjhSBk.cs High entropy of concatenated method names: 'zA3gP9QYd2', 'dQlgsy9s0i', 'tjbgcn8C5D', 'jbrgKSVZTw', 'IbkgHQxkU0', 'oIJguYFL9S', 'nmBgO6El5p', 'iHB9l7y8Wl', 'RWj9XmLlx3', 'mSH9WASRDk'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, x49NvsDgedfoD3UMxg.cs High entropy of concatenated method names: 'v7K9K4CUdV', 'Eek9HdG24B', 'xkR9pEwLfZ', 'FV99u4PYLV', 'hQf9OvbF6Q', 'WYm9oc7rh6', 'wZr9tNY5SI', 'qiQ9F4HP1n', 'uRZ92qYujM', 'Kqw98faZdY'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, ItmMcx3wbxxmt3sBET.cs High entropy of concatenated method names: 'qxyHAt4jnK', 'cCiH58LUBL', 'MPhHZgYdwg', 'neiHbUg0JP', 'X01HmcFJHy', 'vW4HdLGsn8', 'CkDHlUHjyx', 'OjvHXEydnx', 'XJYHW6JqH1', 'QWRHJlkyCw'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, gQWb4ZKwxAMPxxMh9p3.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mYcNAcdmkw', 'QWGN5TfP7w', 'NWoNZ94XNL', 'cAXNb8sGig', 'TPHNmrQjKc', 'RuxNdSRpIj', 'w4ZNlZpdEX'
Source: 0.2.RFQ__363564546 -PO.exe.7bd0000.8.raw.unpack, i69b0FxdmOZ6rNMXT1.cs High entropy of concatenated method names: 'cxjoVR9vgL', 'nVXoUUFJoc', 'anOoQ4bLoc', 'cmFo455etB', 'HOIofn00P2', 'NBeoaePWRo', 'omooyn5eGA', 'nD9owoV9Gf', 'mMZoGuFJLk', 'VusoCdhYXF'
Drops PE files
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Jump to dropped file
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wBeZBSZ Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wBeZBSZ Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File opened: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7440, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 2C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 1110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 7C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 8C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 8F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 9F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 10E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 2CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: 10E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 10F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 4DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 79D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 89D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 8C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 9C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 15C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 3160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 5160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: BC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 26F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: BC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 72A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 82A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 8440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 9440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 29A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 2AC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory allocated: 4AC0000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Code function: 0_2_010DABD0 sidt fword ptr [ecx+24448B11h] 0_2_010DABD0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199984 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199874 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199750 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199641 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199531 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199422 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199313 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199185 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199063 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198828 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198719 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198594 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199672 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198884 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198280 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198169 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198047 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197937 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199766
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199657
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199532
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199407
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199282
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199157
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199047
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198938
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198813
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198688
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198563
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198438
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198328
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198219
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198094
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197985
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197860
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197735
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5779 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3119 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Window / User API: threadDelayed 7386 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Window / User API: threadDelayed 2453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Window / User API: threadDelayed 1800 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Window / User API: threadDelayed 8048 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Window / User API: threadDelayed 1915
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Window / User API: threadDelayed 7927
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 3356 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99228s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98407s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -98063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -97107s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96184s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -96076s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -95953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -95844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199185s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1199063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1198938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1198828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1198719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe TID: 7316 Thread sleep time: -1198594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7688 Thread sleep count: 1800 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7688 Thread sleep count: 8048 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99560s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -99014s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -98030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97591s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -97110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -96985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -96860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -96735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -96610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1199000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198884s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198280s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198169s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1198047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7684 Thread sleep time: -1197937s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7844 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99331s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -99093s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98874s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98546s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98434s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98218s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97999s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97890s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97781s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97562s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97343s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97234s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -97015s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199875s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199766s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199657s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199532s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199407s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199282s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199157s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1199047s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198938s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198813s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198688s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198563s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198438s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198328s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198219s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1198094s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1197985s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1197860s >= -30000s
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe TID: 7972 Thread sleep time: -1197735s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99344 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99228 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99110 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98766 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98532 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98407 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98297 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98188 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 98063 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97938 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97813 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97688 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97344 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97235 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 97107 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96985 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96874 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96750 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96641 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96516 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96406 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96297 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96184 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 96076 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 95953 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 95844 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199984 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199874 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199750 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199641 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199531 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199422 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199313 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199185 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1199063 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198828 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198719 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Thread delayed: delay time: 1198594 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99560 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99014 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98141 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98030 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97591 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97360 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97235 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 96985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 96860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 96735 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 96610 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199672 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198884 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198280 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198169 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198047 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197937 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99331
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99203
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 99093
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98874
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98765
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98546
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98434
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98218
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 98109
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97999
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97890
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97781
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97562
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97453
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97343
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97234
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97125
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 97015
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199766
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199657
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199532
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199407
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199282
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199157
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1199047
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198938
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198813
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198688
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198563
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198438
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198328
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198219
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1198094
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197985
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197860
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Thread delayed: delay time: 1197735
Source: RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000004861000.00000004.00000800.00020000.00000000.sdmp, RFQ__363564546 -PO.exe, 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000006.00000002.2161745912.0000000004091000.00000004.00000800.00020000.00000000.sdmp, wBeZBSZ.exe, 00000007.00000002.2210664065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, wBeZBSZ.exe, 00000009.00000002.2238725091.0000000003A32000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: xYhgFs4
Source: wBeZBSZ.exe, 00000007.00000002.2211970704.00000000016F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4441846267.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, wBeZBSZ.exe, 0000000A.00000002.4442959645.000000000100B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ__363564546 -PO.exe"
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ__363564546 -PO.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Memory written: C:\Users\user\Desktop\RFQ__363564546 -PO.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory written: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Memory written: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ__363564546 -PO.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Process created: C:\Users\user\Desktop\RFQ__363564546 -PO.exe "C:\Users\user\Desktop\RFQ__363564546 -PO.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Process created: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe "C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe"
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 04/27/2024 12:45:16<br>User Name: user<br>Computer Name: 051829<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 102.165.48.43<br><hr><b>[ Program Manager]</b> (29/03/2024 11:33:30)<br>{Win}rTe]q
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @\]qDTime: 04/27/2024 12:45:16<br>User Name: user<br>Computer Name: 051829<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 102.165.48.43<br><hr><b>[ Program Manager]</b> (29/03/2024 11:33:30)<br>{Win}r
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 04/27/2024 12:45:16<br>User Name: user<br>Computer Name: 051829<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 102.165.48.43<br><hr><b>[ Program Manager]</b> (29/03/2024 11:33:30)<br>{Win}r
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR]q
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q3<b>[ Program Manager]</b> (29/03/2024 11:33:30)<br>
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q9<b>[ Program Manager]</b> (29/03/2024 11:33:30)<br>{Win}rTHbq
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 2.165.48.43<br><hr><b>[ Program Manager]</b> (29/03/2024 11:33:30=
Source: RFQ__363564546 -PO.exe, 00000004.00000002.4446092126.0000000002D64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q8<b>[ Program Manager]</b> (29/03/2024 11:33:30)<br>{Win}THbq
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Users\user\Desktop\RFQ__363564546 -PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Users\user\Desktop\RFQ__363564546 -PO.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a6d2a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.40cc638.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.40cc638.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a6d2a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a32480.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a32480.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wBeZBSZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.4091818.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.4091818.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161745912.0000000004091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2000100166.0000000004861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2210664065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2238725091.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 3628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7876, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.7290000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.2dd94fc.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.2dd94fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2001971294.0000000007290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2160423220.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1999641556.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\RFQ__363564546 -PO.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\wBeZBSZ\wBeZBSZ.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a6d2a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.40cc638.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.40cc638.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a6d2a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a32480.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a32480.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wBeZBSZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.4091818.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.4091818.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161745912.0000000004091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2000100166.0000000004861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2210664065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2238725091.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 3628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7876, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a6d2a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.40cc638.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.40cc638.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a6d2a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a32480.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.wBeZBSZ.exe.3a32480.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.wBeZBSZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.4091818.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f7d010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.4091818.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.3f421f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161745912.0000000004091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4444960977.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2000100166.0000000004861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4446092126.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2210664065.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2213525634.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2238725091.0000000003A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2000100166.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ__363564546 -PO.exe PID: 3628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wBeZBSZ.exe PID: 7876, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.7290000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.7290000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.2dd94fc.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__363564546 -PO.exe.2c294e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.wBeZBSZ.exe.2dd94fc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2001971294.0000000007290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2160423220.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1999641556.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417012 Sample: RFQ__363564546 -PO.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 32 mail.ag-tr.com 2->32 34 api.ipify.org 2->34 36 ag-tr.com 2->36 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 12 other signatures 2->58 8 RFQ__363564546 -PO.exe 4 2->8         started        11 wBeZBSZ.exe 3 2->11         started        13 wBeZBSZ.exe 2->13         started        signatures3 process4 signatures5 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 15 RFQ__363564546 -PO.exe 16 5 8->15         started        20 powershell.exe 23 8->20         started        64 Multi AV Scanner detection for dropped file 11->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->66 68 Machine Learning detection for dropped file 11->68 22 wBeZBSZ.exe 14 2 11->22         started        24 wBeZBSZ.exe 13->24         started        process6 dnsIp7 38 ag-tr.com 185.111.247.38, 49708, 49713, 49719 MUVHOSTTR Turkey 15->38 40 api.ipify.org 172.67.74.152, 443, 49706, 49711 CLOUDFLARENETUS United States 15->40 28 C:\Users\user\AppData\Roaming\...\wBeZBSZ.exe, PE32 15->28 dropped 30 C:\Users\user\...\wBeZBSZ.exe:Zone.Identifier, ASCII 15->30 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Tries to steal Mail credentials (via file / registry access) 15->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->46 26 conhost.exe 20->26         started        48 Tries to harvest and steal browser information (history, passwords, etc) 24->48 50 Installs a global keyboard hook 24->50 file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.111.247.38
 ag-tr.com Turkey
209711 MUVHOSTTR false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ag-tr.com 185.111.247.38 true
api.ipify.org 172.67.74.152 true
mail.ag-tr.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high