Windows Analysis Report
Zapytanie ofertowe (7427-23 ROCKFIN).exe

Overview

General Information

Sample name:	Zapytanie ofertowe (7427-23 ROCKFIN).exe
Analysis ID:	1430199
MD5:	1f1abb143c8b30fb865bc08257345941
SHA1:	05b50da690ba76f4aeae4acee59d1d6d2e66f6b2
SHA256:	517a4c4d84de92e88d51de7f864fbdff01b5b2a3e6e0930a291ada3787af9441
Tags:	exe
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Avira: detected

Found malware configuration

Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.es", "Username": "eurospring@eurospring.es", "Password": "B-60595022bcn"}

Multi AV Scanner detection for submitted file

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	ReversingLabs: Detection: 26%
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	Virustotal: Detection: 32%			Perma Link

Machine Learning detection for sample

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Joe Sandbox ML: detected

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 213.165.67.118:587

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 213.165.67.118 213.165.67.118

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 213.165.67.118:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2383310940.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.ionos.es
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://status.geotrust.com0
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	String found in binary or memory: http://www.google.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2383310940.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2383310940.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Code function: 0_2_08C5FBA8 CreateProcessAsUserW,

0_2_08C5FBA8

Detected potential crypto function

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_01914D00	0_2_01914D00
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_01916D58	0_2_01916D58
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_01917C38	0_2_01917C38
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_0191A7F0	0_2_0191A7F0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA79BC	0_2_05DA79BC
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA17B0	0_2_05DA17B0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA17A3	0_2_05DA17A3
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA10BD	0_2_05DA10BD
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D9480C	0_2_06D9480C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D9161C	0_2_06D9161C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D93410	0_2_06D93410
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D93400	0_2_06D93400
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D953B0	0_2_06D953B0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06EE8918	0_2_06EE8918
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06EE88F8	0_2_06EE88F8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08218938	0_2_08218938
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08212968	0_2_08212968
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08213C20	0_2_08213C20
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08238268	0_2_08238268
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_082325A0	0_2_082325A0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08233B20	0_2_08233B20
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08233B11	0_2_08233B11
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087AEED0	0_2_087AEED0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087A5E6D	0_2_087A5E6D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087A5EA0	0_2_087A5EA0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50C70	0_2_08C50C70
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C52C78	0_2_08C52C78
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C51D68	0_2_08C51D68
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C587D8	0_2_08C587D8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C59F40	0_2_08C59F40
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C590F9	0_2_08C590F9
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50040	0_2_08C50040
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50C6F	0_2_08C50C6F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50006	0_2_08C50006
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54D88	0_2_08C54D88
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C5DDA8	0_2_08C5DDA8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54D78	0_2_08C54D78
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C59108	0_2_08C59108
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C55E99	0_2_08C55E99
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C58A77	0_2_08C58A77
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C58A78	0_2_08C58A78
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54A09	0_2_08C54A09
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54FC0	0_2_08C54FC0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C587C8	0_2_08C587C8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C553E1	0_2_08C553E1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C5C7E0	0_2_08C5C7E0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C553F0	0_2_08C553F0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C52B80	0_2_08C52B80
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C51398	0_2_08C51398
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54FB0	0_2_08C54FB0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C59770	0_2_08C59770
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C55F0D	0_2_08C55F0D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54709	0_2_08C54709
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C53B18	0_2_08C53B18
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08218929	0_2_08218929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01699BF2	5_2_01699BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01694A98	5_2_01694A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0169CDC0	5_2_0169CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01693E80	5_2_01693E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_016941C8	5_2_016941C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_065756E0	5_2_065756E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06573F58	5_2_06573F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0657BCF8	5_2_0657BCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0657DCB5	5_2_0657DCB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06572AF8	5_2_06572AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06578B87	5_2_06578B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06570040	5_2_06570040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06573247	5_2_06573247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06575000	5_2_06575000

Sample file is different than original file name gathered from version info

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000000.1654187983.000000000025A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecali crypted.exe@ vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameae2483b3-f78c-4d8c-9f6c-5ea2aebc8f8f.exe4 vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2398343896.0000000008800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2396033362.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameae2483b3-f78c-4d8c-9f6c-5ea2aebc8f8f.exe4 vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2382670548.000000000150E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	Binary or memory string: OriginalFilenamecali crypted.exe@ vs Zapytanie ofertowe (7427-23 ROCKFIN).exe

Yara signature match

Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zapytanie ofertowe (7427-23 ROCKFIN).exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	ReversingLabs: Detection: 26%
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe "C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe"
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.450fa20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.450fa20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.6c20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.6c20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2383310940.00000000032EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2396033362.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, j7.cs

.Net Code: NewLateBinding.LateCall(objectValue3, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, j7.cs

.Net Code: t2K System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_019162C8 push esp; ret	0_2_019162D1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D9D758 push es; ret	0_2_06D9D770
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D99092 push dword ptr [ecx+ecx-75h]; iretd	0_2_06D9909A
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06EE7A68 pushfd ; ret	0_2_06EE7A75
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087AF8EC push eax; iretd	0_2_087AF8ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01699B40 push esp; retf 019Dh	5_2_01699BF1

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, Hc2.cs

High entropy of concatenated method names: 'Pp1', 'Km9', 'g8X', 'Zc0', 'Ms9', 'y4T', 'Kc5', 'Ne8', 'k2J', 'Ey9'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

File opened: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 1910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 1950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: A1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: B1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: B5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: C5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: D5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Window / User API: threadDelayed 1605	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Window / User API: threadDelayed 8246	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 995	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe TID: 7252	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe TID: 7252	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8012	Thread sleep count: 4484 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8012	Thread sleep count: 995 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2396033362.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2382776548.0000000001599000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1029008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7708, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7708, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7708, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.125.136.99	www.google.com	United States		15169	GOOGLEUS	false
213.165.67.118	smtp.ionos.es	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	true

Contacted Domains

Name	IP	Active
www.google.com	74.125.136.99	true
smtp.ionos.es	213.165.67.118	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.google.com/	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Avira: detected

Found malware configuration

Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.es", "Username": "eurospring@eurospring.es", "Password": "B-60595022bcn"}

Multi AV Scanner detection for submitted file

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	ReversingLabs: Detection: 26%
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	Virustotal: Detection: 32%			Perma Link

Machine Learning detection for sample

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Joe Sandbox ML: detected

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 213.165.67.118:587

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 213.165.67.118 213.165.67.118

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 213.165.67.118:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2383310940.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.ionos.es
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://status.geotrust.com0
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	String found in binary or memory: http://www.google.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2383310940.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2397169268.0000000008282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2383310940.00000000032EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: InstallUtil.exe, 00000005.00000002.2922499100.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.00000000064A2000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2923460552.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, cPKWk.cs	.Net Code: LD9oNfi

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Code function: 0_2_08C5FBA8 CreateProcessAsUserW,

0_2_08C5FBA8

Detected potential crypto function

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_01914D00	0_2_01914D00
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_01916D58	0_2_01916D58
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_01917C38	0_2_01917C38
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_0191A7F0	0_2_0191A7F0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA79BC	0_2_05DA79BC
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA17B0	0_2_05DA17B0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA17A3	0_2_05DA17A3
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_05DA10BD	0_2_05DA10BD
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D9480C	0_2_06D9480C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D9161C	0_2_06D9161C
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D93410	0_2_06D93410
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D93400	0_2_06D93400
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D953B0	0_2_06D953B0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06EE8918	0_2_06EE8918
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06EE88F8	0_2_06EE88F8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08218938	0_2_08218938
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08212968	0_2_08212968
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08213C20	0_2_08213C20
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08238268	0_2_08238268
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_082325A0	0_2_082325A0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08233B20	0_2_08233B20
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08233B11	0_2_08233B11
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087AEED0	0_2_087AEED0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087A5E6D	0_2_087A5E6D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087A5EA0	0_2_087A5EA0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50C70	0_2_08C50C70
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C52C78	0_2_08C52C78
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C51D68	0_2_08C51D68
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C587D8	0_2_08C587D8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C59F40	0_2_08C59F40
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C590F9	0_2_08C590F9
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50040	0_2_08C50040
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50C6F	0_2_08C50C6F
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C50006	0_2_08C50006
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54D88	0_2_08C54D88
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C5DDA8	0_2_08C5DDA8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54D78	0_2_08C54D78
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C59108	0_2_08C59108
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C55E99	0_2_08C55E99
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C58A77	0_2_08C58A77
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C58A78	0_2_08C58A78
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54A09	0_2_08C54A09
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54FC0	0_2_08C54FC0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C587C8	0_2_08C587C8
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C553E1	0_2_08C553E1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C5C7E0	0_2_08C5C7E0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C553F0	0_2_08C553F0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C52B80	0_2_08C52B80
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C51398	0_2_08C51398
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54FB0	0_2_08C54FB0
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C59770	0_2_08C59770
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C55F0D	0_2_08C55F0D
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C54709	0_2_08C54709
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08C53B18	0_2_08C53B18
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_08218929	0_2_08218929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01699BF2	5_2_01699BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01694A98	5_2_01694A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0169CDC0	5_2_0169CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01693E80	5_2_01693E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_016941C8	5_2_016941C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_065756E0	5_2_065756E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06573F58	5_2_06573F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0657BCF8	5_2_0657BCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0657DCB5	5_2_0657DCB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06572AF8	5_2_06572AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06578B87	5_2_06578B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06570040	5_2_06570040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06573247	5_2_06573247
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_06575000	5_2_06575000

Sample file is different than original file name gathered from version info

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000000.1654187983.000000000025A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecali crypted.exe@ vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameae2483b3-f78c-4d8c-9f6c-5ea2aebc8f8f.exe4 vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2398343896.0000000008800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2396033362.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameae2483b3-f78c-4d8c-9f6c-5ea2aebc8f8f.exe4 vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2382670548.000000000150E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Zapytanie ofertowe (7427-23 ROCKFIN).exe
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	Binary or memory string: OriginalFilenamecali crypted.exe@ vs Zapytanie ofertowe (7427-23 ROCKFIN).exe

Yara signature match

Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zapytanie ofertowe (7427-23 ROCKFIN).exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	ReversingLabs: Detection: 26%
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe "C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe"
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.450fa20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.450fa20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.6c20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.6c20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2383310940.00000000032EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2396033362.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, j7.cs

.Net Code: NewLateBinding.LateCall(objectValue3, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, j7.cs

.Net Code: t2K System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_019162C8 push esp; ret	0_2_019162D1
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D9D758 push es; ret	0_2_06D9D770
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06D99092 push dword ptr [ecx+ecx-75h]; iretd	0_2_06D9909A
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_06EE7A68 pushfd ; ret	0_2_06EE7A75
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Code function: 0_2_087AF8EC push eax; iretd	0_2_087AF8ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_01699B40 push esp; retf 019Dh	5_2_01699BF1

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, Hc2.cs

High entropy of concatenated method names: 'Pp1', 'Km9', 'g8X', 'Zc0', 'Ms9', 'y4T', 'Kc5', 'Ne8', 'k2J', 'Ey9'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

File opened: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 1910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 1950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: A1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: B1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: B5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: C5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory allocated: D5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Window / User API: threadDelayed 1605	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Window / User API: threadDelayed 8246	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 995	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe TID: 7252	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe TID: 7252	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8012	Thread sleep count: 4484 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8012	Thread sleep count: 995 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2396033362.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2389417010.000000000450F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: Zapytanie ofertowe (7427-23 ROCKFIN).exe, 00000000.00000002.2382776548.0000000001599000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2928291445.0000000006450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1029008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Zapytanie ofertowe (7427-23 ROCKFIN).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7708, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7708, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4465e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.437b302.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.442b352.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zapytanie ofertowe (7427-23 ROCKFIN).exe.4340822.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2908230870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.000000000442B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2923460552.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2389417010.0000000004305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zapytanie ofertowe (7427-23 ROCKFIN).exe PID: 6580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7708, type: MEMORYSTR

ID:	1430199
Product:	CloudBasic
Start time:	09:50:06
Start date:	23.04.2024
Sample:	Zapytanie ofertowe (7427-23 ROCKFIN).exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1f1abb143c8b30fb865bc08257345941
SHA1:	05b50da690ba76f4aeae4acee59d1d6d2e66f6b2
SHA256:	517a4c4d84de92e88d51de7f864fbdff01b5b2a3e6e0930a291ada3787af9441
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report
Zapytanie ofertowe (7427-23 ROCKFIN).exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Zapytanie ofertowe (7427-23 ROCKFIN).exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Zapytanie ofertowe (7427-23 ROCKFIN).exe

Malware Threat Intel
Provided by