Windows Analysis Report
RFQ 0400-ENPI-RQMA.exe

Overview

General Information

Sample name:	RFQ 0400-ENPI-RQMA.exe
Analysis ID:	1430324
MD5:	73b6e5a11aff9e7bd681b55136c5fbcf
SHA1:	d8113fa2bd2b2fa43f3920b93f9a5217b9cb69a2
SHA256:	3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: RFQ 0400-ENPI-RQMA.exe

ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1927201157.0000000001300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1926547005.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2175893456.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2175933717.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913084591.0000000004B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1928973003.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2896021580.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: RFQ 0400-ENPI-RQMA.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: RFQ 0400-ENPI-RQMA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ 0400-ENPI-RQMA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: aYJw.pdb source: RFQ 0400-ENPI-RQMA.exe
Source:	Binary string: replace.pdb source: RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1926765955.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000002.2895608255.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000003.1866058996.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: replace.pdbGCTL source: RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1926765955.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000002.2895608255.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000003.1866058996.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KdcHSkcpIgYD.exe, 00000004.00000000.1853172112.00000000009BE000.00000002.00000001.01000000.0000000D.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2897838287.00000000009BE000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1927402660.0000000001390000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1928920536.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2176003269.0000000003160000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1926857156.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2176003269.00000000032FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ 0400-ENPI-RQMA.exe, RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1927402660.0000000001390000.00000040.00001000.00020000.00000000.sdmp, replace.exe, replace.exe, 00000005.00000003.1928920536.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2176003269.0000000003160000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1926857156.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2176003269.00000000032FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: aYJw.pdbSHA256 source: RFQ 0400-ENPI-RQMA.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe

Code function: 4x nop then jmp 07D87AD1h

0_2_07D871E1

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49743 -> 79.98.25.1:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.98.25.1 79.98.25.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /aleu/?lT2ltVXh=ok/gmcxpcerYYESV9LVelGsDrZokr4IbVWXcVokfXup7b9fdD39fjj06OXsQXJEXHKhiFziBALjD8i0StjfBb+96LAD/3UXNvlvrkMKLP/jNG9hi36bWzAk=&66=uX3d2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.maxiwalls.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36

Source: unknown

DNS traffic detected: queries for: www.maxiwalls.com

Source: RFQ 0400-ENPI-RQMA.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RFQ 0400-ENPI-RQMA.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RFQ 0400-ENPI-RQMA.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: RFQ 0400-ENPI-RQMA.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661760268.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comar
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1661786243.00000000073C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://assets.iv.lt/default.css
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://assets.iv.lt/footer.html
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://assets.iv.lt/header.html
Source: firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://assets.iv.lt/images/icon.png
Source: firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://assets.iv.lt/images/thumbnail.png
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://klientams.iv.lt/
Source: replace.exe, 00000005.00000002.2175137923.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: replace.exe, 00000005.00000002.2175137923.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: replace.exe, 00000005.00000002.2175137923.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: replace.exe, 00000005.00000002.2175137923.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: replace.exe, 00000005.00000002.2175137923.0000000002B32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: replace.exe, 00000005.00000003.2106155503.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: RFQ 0400-ENPI-RQMA.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: replace.exe, 00000005.00000003.2112503982.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/domenai/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/duomenu-centras/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/el-pasto-filtras/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/neribotas-svetainiu-talpinimas/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/profesionalus-hostingas/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/sertifikatai/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/svetainiu-kurimo-irankis/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/talpinimo-planai/
Source: replace.exe, 00000005.00000002.2176359316.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000002.2898333907.0000000002B04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2892020444.0000000001794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iv.lt/vps-serveriai/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1927201157.0000000001300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1926547005.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2175893456.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2175933717.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2913084591.0000000004B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1928973003.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2896021580.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1927201157.0000000001300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1926547005.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2175893456.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2175933717.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2913084591.0000000004B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1928973003.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2896021580.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.RFQ 0400-ENPI-RQMA.exe.32e5318.4.raw.unpack, HomeView.cs	Large array initialization: : array initializer size 33604
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.7ae0000.11.raw.unpack, HomeView.cs	Large array initialization: : array initializer size 33604

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ 0400-ENPI-RQMA.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0042B233 NtClose,	2_2_0042B233
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014035C0 NtCreateMutant,LdrInitializeThunk,	2_2_014035C0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402B60 NtClose,LdrInitializeThunk,	2_2_01402B60
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01402DF0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01402C70
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01403010 NtOpenDirectoryObject,	2_2_01403010
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01403090 NtSetValueKey,	2_2_01403090
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01404340 NtSetContextThread,	2_2_01404340
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01404650 NtSuspendThread,	2_2_01404650
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014039B0 NtGetContextThread,	2_2_014039B0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402BE0 NtQueryValueKey,	2_2_01402BE0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402BF0 NtAllocateVirtualMemory,	2_2_01402BF0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402B80 NtQueryInformationFile,	2_2_01402B80
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402BA0 NtEnumerateValueKey,	2_2_01402BA0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402AD0 NtReadFile,	2_2_01402AD0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402AF0 NtWriteFile,	2_2_01402AF0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402AB0 NtWaitForSingleObject,	2_2_01402AB0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01403D70 NtOpenThread,	2_2_01403D70
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402D00 NtSetInformationFile,	2_2_01402D00
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402D10 NtMapViewOfSection,	2_2_01402D10
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01403D10 NtOpenProcessToken,	2_2_01403D10
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402D30 NtUnmapViewOfSection,	2_2_01402D30
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402DD0 NtDelayExecution,	2_2_01402DD0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402DB0 NtEnumerateKey,	2_2_01402DB0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402C60 NtCreateKey,	2_2_01402C60
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402C00 NtQueryInformationProcess,	2_2_01402C00
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402CC0 NtQueryVirtualMemory,	2_2_01402CC0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402CF0 NtOpenProcess,	2_2_01402CF0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402CA0 NtQueryInformationToken,	2_2_01402CA0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402F60 NtCreateProcessEx,	2_2_01402F60
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402F30 NtCreateSection,	2_2_01402F30
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402FE0 NtCreateFile,	2_2_01402FE0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402F90 NtProtectVirtualMemory,	2_2_01402F90
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402FA0 NtQuerySection,	2_2_01402FA0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402FB0 NtResumeThread,	2_2_01402FB0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402E30 NtWriteVirtualMemory,	2_2_01402E30
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402EE0 NtQueueApcThread,	2_2_01402EE0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402E80 NtReadVirtualMemory,	2_2_01402E80
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01402EA0 NtAdjustPrivilegesToken,	2_2_01402EA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D4340 NtSetContextThread,LdrInitializeThunk,	5_2_031D4340
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D4650 NtSuspendThread,LdrInitializeThunk,	5_2_031D4650
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2B60 NtClose,LdrInitializeThunk,	5_2_031D2B60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_031D2BA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_031D2BF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_031D2BE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2AD0 NtReadFile,LdrInitializeThunk,	5_2_031D2AD0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2AF0 NtWriteFile,LdrInitializeThunk,	5_2_031D2AF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2F30 NtCreateSection,LdrInitializeThunk,	5_2_031D2F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2FB0 NtResumeThread,LdrInitializeThunk,	5_2_031D2FB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2FE0 NtCreateFile,LdrInitializeThunk,	5_2_031D2FE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_031D2E80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_031D2EE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_031D2D10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_031D2D30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_031D2DD0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_031D2DF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_031D2C70
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2C60 NtCreateKey,LdrInitializeThunk,	5_2_031D2C60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_031D2CA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D35C0 NtCreateMutant,LdrInitializeThunk,	5_2_031D35C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D39B0 NtGetContextThread,LdrInitializeThunk,	5_2_031D39B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2B80 NtQueryInformationFile,	5_2_031D2B80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2AB0 NtWaitForSingleObject,	5_2_031D2AB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2F60 NtCreateProcessEx,	5_2_031D2F60
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2F90 NtProtectVirtualMemory,	5_2_031D2F90
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2FA0 NtQuerySection,	5_2_031D2FA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2E30 NtWriteVirtualMemory,	5_2_031D2E30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2EA0 NtAdjustPrivilegesToken,	5_2_031D2EA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2D00 NtSetInformationFile,	5_2_031D2D00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2DB0 NtEnumerateKey,	5_2_031D2DB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2C00 NtQueryInformationProcess,	5_2_031D2C00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2CC0 NtQueryVirtualMemory,	5_2_031D2CC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D2CF0 NtOpenProcess,	5_2_031D2CF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D3010 NtOpenDirectoryObject,	5_2_031D3010
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D3090 NtSetValueKey,	5_2_031D3090
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D3D10 NtOpenProcessToken,	5_2_031D3D10
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D3D70 NtOpenThread,	5_2_031D3D70

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_016ADA4C	0_2_016ADA4C
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B27F61	0_2_07B27F61
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B23C01	0_2_07B23C01
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B27C48	0_2_07B27C48
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B24AB0	0_2_07B24AB0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B22910	0_2_07B22910
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B23659	0_2_07B23659
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2C4CC	0_2_07B2C4CC
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2C310	0_2_07B2C310
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2C301	0_2_07B2C301
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2A200	0_2_07B2A200
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B23189	0_2_07B23189
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2A1F0	0_2_07B2A1F0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2A1C9	0_2_07B2A1C9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B28EE0	0_2_07B28EE0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B26E00	0_2_07B26E00
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B21DF9	0_2_07B21DF9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B26BC8	0_2_07B26BC8
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B259A0	0_2_07B259A0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B249C1	0_2_07B249C1
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B2290B	0_2_07B2290B
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B26857	0_2_07B26857
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D89100	0_2_07D89100
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D84CC0	0_2_07D84CC0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D834B8	0_2_07D834B8
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D84CB0	0_2_07D84CB0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D82C48	0_2_07D82C48
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D850F8	0_2_07D850F8
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D83070	0_2_07D83070
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D80007	0_2_07D80007
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00401190	2_2_00401190
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00403210	2_2_00403210
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00402313	2_2_00402313
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00402320	2_2_00402320
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00402510	2_2_00402510
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040FD1A	2_2_0040FD1A
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040FD23	2_2_0040FD23
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0042D673	2_2_0042D673
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_004166C3	2_2_004166C3
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_004166BE	2_2_004166BE
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040FF43	2_2_0040FF43
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00402750	2_2_00402750
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040DFC3	2_2_0040DFC3
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01458158	2_2_01458158
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0149B16B	2_2_0149B16B
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0140516C	2_2_0140516C
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013C0100	2_2_013C0100
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013BF172	2_2_013BF172
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0146A118	2_2_0146A118
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014881CC	2_2_014881CC
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013DB1B0	2_2_013DB1B0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014901AA	2_2_014901AA
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0147F0CC	2_2_0147F0CC
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014870E9	2_2_014870E9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148F0E0	2_2_0148F0E0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D70C0	2_2_013D70C0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148A352	2_2_0148A352
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148132D	2_2_0148132D
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013BD34C	2_2_013BD34C
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014903E6	2_2_014903E6
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013DE3F0	2_2_013DE3F0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0141739A	2_2_0141739A
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01470274	2_2_01470274
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014502C0	2_2_014502C0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D52A0	2_2_013D52A0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014712ED	2_2_014712ED
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013ED2F0	2_2_013ED2F0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013EB2C0	2_2_013EB2C0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D0535	2_2_013D0535
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01487571	2_2_01487571
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01490591	2_2_01490591
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0146D5B0	2_2_0146D5B0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01482446	2_2_01482446
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013C1460	2_2_013C1460
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148F43F	2_2_0148F43F
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0147E4F6	2_2_0147E4F6
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D0770	2_2_013D0770
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013F4750	2_2_013F4750
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148F7B0	2_2_0148F7B0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013CC7C0	2_2_013CC7C0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_014816CC	2_2_014816CC
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013EC6E0	2_2_013EC6E0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013E6962	2_2_013E6962
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D9950	2_2_013D9950
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013EB950	2_2_013EB950
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D29A0	2_2_013D29A0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0149A9A6	2_2_0149A9A6
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0143D800	2_2_0143D800
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013DA840	2_2_013DA840
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D2840	2_2_013D2840
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013B68B8	2_2_013B68B8
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013FE8F0	2_2_013FE8F0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D38E0	2_2_013D38E0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148AB40	2_2_0148AB40
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148FB76	2_2_0148FB76
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01486BD7	2_2_01486BD7
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01445BF0	2_2_01445BF0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0140DBF9	2_2_0140DBF9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013EFB80	2_2_013EFB80
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148FA49	2_2_0148FA49
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01487A46	2_2_01487A46
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01443A6C	2_2_01443A6C
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0147DAC6	2_2_0147DAC6
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013CEA80	2_2_013CEA80
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01415AA0	2_2_01415AA0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0146DAAC	2_2_0146DAAC
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01481D5A	2_2_01481D5A
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01487D73	2_2_01487D73
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013DAD00	2_2_013DAD00
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D3D40	2_2_013D3D40
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013E8DBF	2_2_013E8DBF
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013CADE0	2_2_013CADE0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013EFDC0	2_2_013EFDC0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D0C00	2_2_013D0C00
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01449C32	2_2_01449C32
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148FCF2	2_2_0148FCF2
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013C0CF2	2_2_013C0CF2
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01470CB5	2_2_01470CB5
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01444F40	2_2_01444F40
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013F0F30	2_2_013F0F30
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148FF09	2_2_0148FF09
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01412F28	2_2_01412F28
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D1F92	2_2_013D1F92
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0144EFA0	2_2_0144EFA0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01393FD2	2_2_01393FD2
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01393FD5	2_2_01393FD5
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013C2FC8	2_2_013C2FC8
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148FFB1	2_2_0148FFB1
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D0E59	2_2_013D0E59
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148EE26	2_2_0148EE26
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013D9EB0	2_2_013D9EB0
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148EEDB	2_2_0148EEDB
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013E2E90	2_2_013E2E90
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0148CE93	2_2_0148CE93
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325A352	5_2_0325A352
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032603E6	5_2_032603E6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031AE3F0	5_2_031AE3F0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03240274	5_2_03240274
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032202C0	5_2_032202C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03190100	5_2_03190100
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0323A118	5_2_0323A118
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03228158	5_2_03228158
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032541A2	5_2_032541A2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032601AA	5_2_032601AA
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032581CC	5_2_032581CC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03232000	5_2_03232000
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031C4750	5_2_031C4750
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A0770	5_2_031A0770
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0319C7C0	5_2_0319C7C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031BC6E0	5_2_031BC6E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A0535	5_2_031A0535
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03260591	5_2_03260591
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03244420	5_2_03244420
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03252446	5_2_03252446
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0324E4F6	5_2_0324E4F6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325AB40	5_2_0325AB40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03256BD7	5_2_03256BD7
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0319EA80	5_2_0319EA80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031B6962	5_2_031B6962
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0326A9A6	5_2_0326A9A6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A29A0	5_2_031A29A0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A2840	5_2_031A2840
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031AA840	5_2_031AA840
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031868B8	5_2_031868B8
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031CE8F0	5_2_031CE8F0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03242F30	5_2_03242F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031C0F30	5_2_031C0F30
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031E2F28	5_2_031E2F28
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03214F40	5_2_03214F40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0321EFA0	5_2_0321EFA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325EE26	5_2_0325EE26
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A0E59	5_2_031A0E59
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031B2E90	5_2_031B2E90
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325CE93	5_2_0325CE93
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325EEDB	5_2_0325EEDB
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031AAD00	5_2_031AAD00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0323CD1F	5_2_0323CD1F
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031B8DBF	5_2_031B8DBF
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0319ADE0	5_2_0319ADE0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A0C00	5_2_031A0C00
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03240CB5	5_2_03240CB5
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03190CF2	5_2_03190CF2
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325132D	5_2_0325132D
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0318D34C	5_2_0318D34C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031E739A	5_2_031E739A
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A52A0	5_2_031A52A0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032412ED	5_2_032412ED
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031BB2C0	5_2_031BB2C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031BD2F0	5_2_031BD2F0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0326B16B	5_2_0326B16B
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0318F172	5_2_0318F172
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031D516C	5_2_031D516C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031AB1B0	5_2_031AB1B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325F0E0	5_2_0325F0E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032570E9	5_2_032570E9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A70C0	5_2_031A70C0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0324F0CC	5_2_0324F0CC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325F7B0	5_2_0325F7B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031E5630	5_2_031E5630
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032516CC	5_2_032516CC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03257571	5_2_03257571
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0323D5B0	5_2_0323D5B0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_032695C3	5_2_032695C3
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325F43F	5_2_0325F43F
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03191460	5_2_03191460
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325FB76	5_2_0325FB76
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031BFB80	5_2_031BFB80
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03215BF0	5_2_03215BF0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031DDBF9	5_2_031DDBF9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03213A6C	5_2_03213A6C
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03257A46	5_2_03257A46
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325FA49	5_2_0325FA49
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03241AA3	5_2_03241AA3
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0323DAAC	5_2_0323DAAC
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031E5AA0	5_2_031E5AA0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0324DAC6	5_2_0324DAC6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03235910	5_2_03235910
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A9950	5_2_031A9950
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031BB950	5_2_031BB950
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0320D800	5_2_0320D800
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A38E0	5_2_031A38E0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325FF09	5_2_0325FF09
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A1F92	5_2_031A1F92
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325FFB1	5_2_0325FFB1
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A9EB0	5_2_031A9EB0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03257D73	5_2_03257D73
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031A3D40	5_2_031A3D40
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03251D5A	5_2_03251D5A
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031BFDC0	5_2_031BFDC0
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03219C32	5_2_03219C32
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0325FCF2	5_2_0325FCF2

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 0320EA12 appears 86 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 031E7E54 appears 107 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 0318B970 appears 262 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 031D5130 appears 58 times
Source: C:\Windows\SysWOW64\replace.exe	Code function: String function: 0321F290 appears 103 times
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: String function: 0143EA12 appears 86 times
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: String function: 01405130 appears 36 times
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: String function: 0144F290 appears 103 times
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: String function: 013BB970 appears 254 times
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: String function: 01417E54 appears 94 times

PE / OLE file has an invalid certificate

Source: RFQ 0400-ENPI-RQMA.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: RFQ 0400-ENPI-RQMA.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Sample file is different than original file name gathered from version info

Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1657413936.00000000016DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1657993465.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1663447736.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe, 00000000.00000002.1657755988.00000000031D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1926765955.0000000000E47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREPLACE.EXEj% vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1926765955.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREPLACE.EXEj% vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe, 00000002.00000002.1927402660.00000000014BD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ 0400-ENPI-RQMA.exe
Source: RFQ 0400-ENPI-RQMA.exe	Binary or memory string: OriginalFilenameaYJw.exe& vs RFQ 0400-ENPI-RQMA.exe

Uses 32bit PE files

Source: RFQ 0400-ENPI-RQMA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.RFQ 0400-ENPI-RQMA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1927201157.0000000001300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1926547005.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2175893456.0000000002FE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2175933717.0000000003020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2913084591.0000000004B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1928973003.00000000017E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2896021580.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: RFQ 0400-ENPI-RQMA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, rDIp5G8onoljg2aKqn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, rDIp5G8onoljg2aKqn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, rDIp5G8onoljg2aKqn.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: _0020.AddAccessRule
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: _0020.SetAccessControl
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@1/1

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ 0400-ENPI-RQMA.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe "C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe"
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process created: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe "C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe"
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process created: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe "C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe"	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: RFQ 0400-ENPI-RQMA.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	.Net Code: UR0T1nKqk3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	.Net Code: UR0T1nKqk3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.32e5318.4.raw.unpack, HomeView.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	.Net Code: UR0T1nKqk3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.7ae0000.11.raw.unpack, HomeView.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_016AE460 pushfd ; retf	0_2_016AE461
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B24507 pushad ; retf	0_2_07B24508
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07B244FD pushad ; retf	0_2_07B244FE
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D8676F pushad ; retf	0_2_07D8677D
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 0_2_07D86847 push esp; retf	0_2_07D86855
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00416023 push ds; ret	2_2_00416071
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00404834 push ebx; ret	2_2_00404835
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040A036 push es; ret	2_2_0040A039
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_004119A0 pushfd ; iretd	2_2_004119B2
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00409A42 push ecx; ret	2_2_00409A46
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040D276 push ebx; retf	2_2_0040D29A
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040D214 push ecx; iretd	2_2_0040D215
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00418B17 push ss; retf	2_2_00418B1B
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_004074E7 pushad ; iretd	2_2_004074F3
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00403490 push eax; ret	2_2_00403492
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00409D5A push cs; retf	2_2_00409D5B
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_00406524 push es; iretd	2_2_00406530
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_004145D8 pushfd ; ret	2_2_004145D9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0040CE54 push cs; iretd	2_2_0040CE5B
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0139225F pushad ; ret	2_2_013927F9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013927FA pushad ; ret	2_2_013927F9
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_01399939 push es; iretd	2_2_01399940
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_013C09AD push ecx; mov dword ptr [esp], ecx	2_2_013C09B6
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Code function: 2_2_0139283D push eax; iretd	2_2_01392858
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0316225F pushad ; ret	5_2_031627F9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031627FA pushad ; ret	5_2_031627F9
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_031909AD push ecx; mov dword ptr [esp], ecx	5_2_031909B6
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_0316283D push eax; iretd	5_2_03162858
Source: C:\Windows\SysWOW64\replace.exe	Code function: 5_2_03161368 push eax; iretd	5_2_03161369

Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, YoSM6Wp2IrmhKrj3ZC.cs	High entropy of concatenated method names: 'EHpkOZGoim', 'WA1kLrXTxA', 'KAwkw91x1C', 'aXAkaIv7QY', 'oyaksa6BYE', 'ClbkI8eig4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, uVaeFkcPeaH3ocHSEv0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h3ABspXNn4', 'bprB6oEHSI', 'OOwBhWr7FM', 'qslB2At04s', 'JNlBRH3Aso', 'ylhBxsepID', 'LGOBdMLWa6'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, XIpVv9AC41Lf2l6L2Q.cs	High entropy of concatenated method names: 'buojqmtYbm', 'LlojXKNTWv', 'CUUjmU9wpL', 'idLm5VJxhU', 'p2mmzMhrcr', 'MqljNyE9lA', 'xePjJ4ybse', 'wTMj3qPZl1', 'sQxjy54DYA', 'DM0jTyba28'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, yR7kGq657qmGnh4tKL.cs	High entropy of concatenated method names: 'Dispose', 'rt7JecR04u', 'vPl3LjlNpq', 'Mya44ixB1G', 'TG4J5Nl5ID', 'ERhJzRwAix', 'ProcessDialogKey', 'ViF3NgEZAV', 'CAt3JRHo3Y', 'kbU337WtIm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, MYD0nFMdGQovafxJ7Z.cs	High entropy of concatenated method names: 'ToString', 'TXg7ENvWeS', 'dG17LdNH2W', 'RH17wjMabu', 'gVC7ar2iUl', 'fpt7INJBos', 'k7D7FOv6Zx', 'x0G7SN6d4H', 'UfC7iXNd2H', 'JiD7p8YshM'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	High entropy of concatenated method names: 'w0Pyco7jh7', 'nQMyqKQ0CB', 'JU3yPigGWy', 'fK2yX0Tmbq', 'L1OyYsdiWV', 'tUcymZSjEr', 'd9KyjFcQbs', 'mYvyUcW6O4', 'z7UyGZvsFt', 'cXcyChiKNm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, v1EZnFxqBBh6XGqBr0.cs	High entropy of concatenated method names: 'ga7JjlR6FY', 'bOqJU3jPNZ', 'HNAJC2px6b', 'exJJHlHYga', 'TLfJKV4JKO', 'hSPJ7Cx93G', 'K4CWXHXaqrx2gKV2CN', 'Kb7wV8IIRBUbVtH4nt', 'qfL18rE5SgLOYfGNeO', 'z68JJQ1JoN'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, ynG9sBnaZATAKmVTe7.cs	High entropy of concatenated method names: 'aK41hKnqs', 'gEiZ7GbsC', 'IhX9M8pPa', 'dJi8lPsuF', 'z9tAIhOVH', 'b8juMXYIt', 'jcnDVa0umTBv8BGfWG', 'aJ6Xhf27CApeSBSRRh', 'NL2kZUIWP', 'I7yBpceb2'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, bcqsqkytaUAL9e8ErJ.cs	High entropy of concatenated method names: 'SXkoJ5XlMN', 'CPMoyaxOBX', 'tBUoT5y3q9', 'yV6oqWBaS5', 'VG7oPi6Z88', 'ElPoYlRwDR', 'xHDomnhDYP', 'BTBkdRC1EA', 'AMrkv5qsnA', 'xUJket4wiQ'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, rDIp5G8onoljg2aKqn.cs	High entropy of concatenated method names: 'GyEPsNGmbc', 'AeKP60Dcmb', 'fIQPhkuffT', 'r8kP2QiRoi', 'IFOPRb9hr3', 'i8KPx6pawM', 'ab2PdaQLtM', 'uPrPvfrUkR', 'PEePey8bVA', 'yFhP5KOi9N'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, KJLWMFUAwl9EjQ3Nxn.cs	High entropy of concatenated method names: 'pPZkqFnMuO', 'gKtkPlZJyb', 'fyOkX3Ypin', 'WMOkYIcsRd', 'uD3km0phmX', 'srRkjXBgAq', 'dIKkUuJ25Y', 'TWtkGqLEyw', 'VASkCJDl12', 'IhCkHVp5fj'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, ySKAX7gAV1CMZRPs6r.cs	High entropy of concatenated method names: 'uTOXZij8dh', 'r4qX9kwnlq', 'MVWXfxGigI', 'RWUXAwx6wh', 'UvyXKw7iD5', 'fShX7Z91Y4', 'WdBXtLkiQ6', 'dD3XkrQfFf', 'u7yXoaEKFj', 'VR7XBOUxXb'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, QSK4KUc4JILpZ3IpyRw.cs	High entropy of concatenated method names: 'VpqobrK9uA', 'rlVorSeCXt', 'G2oo1iR30C', 'NwRoZvZKd9', 'nCkonvFPUF', 'iYPo9ytsxA', 'kEco8oBvIe', 'ENGofls0qS', 'VPioAKXnss', 'gDvouoKYhp'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, uXWt4EzWmqvJcLS2dM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uiloM7MHuq', 'HRwoKmJojI', 'XHpo7RKDXT', 'x7Cot2jC8d', 'TRsokBIMEX', 'eG3oonQSXG', 'rLuoB7c2V9'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, grvkySDx2bMBUo2s1j.cs	High entropy of concatenated method names: 'Ii0tvRG7t9', 'KZft53SoFD', 'mJrkN6mqCr', 'APEkJDAwXq', 'vTOtEF0RNb', 't2rtDwfmRs', 'lSAtl1Vn71', 'oRIts0p6aB', 'NGbt6cqQcm', 's3AthSjkI6'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, GJJWFJkvd2VZBSbtjl.cs	High entropy of concatenated method names: 'jn8tCKY4Ck', 'EpitHys6B7', 'ToString', 'S40tqJnNbW', 'WettPrSuU5', 'Pa5tXD9rQB', 'mwitYiioBl', 'RnXtmwNDum', 'FTrtjtw5W8', 'd0ltU7gMUm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, A8gFw3myrZdLsbB0jH.cs	High entropy of concatenated method names: 'hGoKV6pOP2', 'sDTKD6DAZl', 'D4TKsanD9P', 'SasK63Llaa', 'WFxKLVIpSQ', 'MyXKwq2vTU', 'wNyKa0NaZX', 'etEKIpeQwt', 'A0jKFCyT2p', 'TCLKSLsBAh'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, mQ0RGZYiDcvttbn8xA.cs	High entropy of concatenated method names: 'l01MfqMb0E', 'qeHMA1vonM', 'ME5MOCN54K', 'mXbMLwjK0S', 'bAvMaMexpa', 'GqfMIdE1tK', 'TaHMSNopXT', 'x88Mi2sc0L', 'xoLMVWXQC5', 'zeBMEjCkaL'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, JtfGZgjgKQWLSBqGf3.cs	High entropy of concatenated method names: 'LbfmcoYk6u', 'MV4mPPCLnY', 'P5JmYVhp03', 'la1mjB4EAP', 'xMmmUGtyGI', 'rl5YRHNysM', 'c5OYxKt6JN', 'dbGYdNW8td', 'qmtYvMqXKX', 'frYYeddTyN'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, bTPDcirfT3DGP9qfd1.cs	High entropy of concatenated method names: 'yPwYn0ZEad', 'ckJY8sQgtx', 'X2EXw7jaGY', 'yqJXaRAPmK', 'WrNXIEehvy', 'tNsXFB1nT7', 'rpmXSEgCcO', 'Xt6XiBYCTH', 'xKBXppOemy', 'AEjXVowRsU'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4f48240.10.raw.unpack, MDFNbnfWwmWjgD7ikE.cs	High entropy of concatenated method names: 'EZjjbluCTR', 'rcWjrtlD8U', 'ALDj1TjIys', 'zhyjZtkuHb', 'GCQjnFDD2h', 'KUsj9EVZR5', 'c0dj8Eynfa', 'HT6jfnLUrW', 'Jk7jAleOSw', 'z0hjudJV8m'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, YoSM6Wp2IrmhKrj3ZC.cs	High entropy of concatenated method names: 'EHpkOZGoim', 'WA1kLrXTxA', 'KAwkw91x1C', 'aXAkaIv7QY', 'oyaksa6BYE', 'ClbkI8eig4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, uVaeFkcPeaH3ocHSEv0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h3ABspXNn4', 'bprB6oEHSI', 'OOwBhWr7FM', 'qslB2At04s', 'JNlBRH3Aso', 'ylhBxsepID', 'LGOBdMLWa6'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, XIpVv9AC41Lf2l6L2Q.cs	High entropy of concatenated method names: 'buojqmtYbm', 'LlojXKNTWv', 'CUUjmU9wpL', 'idLm5VJxhU', 'p2mmzMhrcr', 'MqljNyE9lA', 'xePjJ4ybse', 'wTMj3qPZl1', 'sQxjy54DYA', 'DM0jTyba28'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, yR7kGq657qmGnh4tKL.cs	High entropy of concatenated method names: 'Dispose', 'rt7JecR04u', 'vPl3LjlNpq', 'Mya44ixB1G', 'TG4J5Nl5ID', 'ERhJzRwAix', 'ProcessDialogKey', 'ViF3NgEZAV', 'CAt3JRHo3Y', 'kbU337WtIm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, MYD0nFMdGQovafxJ7Z.cs	High entropy of concatenated method names: 'ToString', 'TXg7ENvWeS', 'dG17LdNH2W', 'RH17wjMabu', 'gVC7ar2iUl', 'fpt7INJBos', 'k7D7FOv6Zx', 'x0G7SN6d4H', 'UfC7iXNd2H', 'JiD7p8YshM'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	High entropy of concatenated method names: 'w0Pyco7jh7', 'nQMyqKQ0CB', 'JU3yPigGWy', 'fK2yX0Tmbq', 'L1OyYsdiWV', 'tUcymZSjEr', 'd9KyjFcQbs', 'mYvyUcW6O4', 'z7UyGZvsFt', 'cXcyChiKNm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, v1EZnFxqBBh6XGqBr0.cs	High entropy of concatenated method names: 'ga7JjlR6FY', 'bOqJU3jPNZ', 'HNAJC2px6b', 'exJJHlHYga', 'TLfJKV4JKO', 'hSPJ7Cx93G', 'K4CWXHXaqrx2gKV2CN', 'Kb7wV8IIRBUbVtH4nt', 'qfL18rE5SgLOYfGNeO', 'z68JJQ1JoN'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, ynG9sBnaZATAKmVTe7.cs	High entropy of concatenated method names: 'aK41hKnqs', 'gEiZ7GbsC', 'IhX9M8pPa', 'dJi8lPsuF', 'z9tAIhOVH', 'b8juMXYIt', 'jcnDVa0umTBv8BGfWG', 'aJ6Xhf27CApeSBSRRh', 'NL2kZUIWP', 'I7yBpceb2'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, bcqsqkytaUAL9e8ErJ.cs	High entropy of concatenated method names: 'SXkoJ5XlMN', 'CPMoyaxOBX', 'tBUoT5y3q9', 'yV6oqWBaS5', 'VG7oPi6Z88', 'ElPoYlRwDR', 'xHDomnhDYP', 'BTBkdRC1EA', 'AMrkv5qsnA', 'xUJket4wiQ'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, rDIp5G8onoljg2aKqn.cs	High entropy of concatenated method names: 'GyEPsNGmbc', 'AeKP60Dcmb', 'fIQPhkuffT', 'r8kP2QiRoi', 'IFOPRb9hr3', 'i8KPx6pawM', 'ab2PdaQLtM', 'uPrPvfrUkR', 'PEePey8bVA', 'yFhP5KOi9N'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, KJLWMFUAwl9EjQ3Nxn.cs	High entropy of concatenated method names: 'pPZkqFnMuO', 'gKtkPlZJyb', 'fyOkX3Ypin', 'WMOkYIcsRd', 'uD3km0phmX', 'srRkjXBgAq', 'dIKkUuJ25Y', 'TWtkGqLEyw', 'VASkCJDl12', 'IhCkHVp5fj'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, ySKAX7gAV1CMZRPs6r.cs	High entropy of concatenated method names: 'uTOXZij8dh', 'r4qX9kwnlq', 'MVWXfxGigI', 'RWUXAwx6wh', 'UvyXKw7iD5', 'fShX7Z91Y4', 'WdBXtLkiQ6', 'dD3XkrQfFf', 'u7yXoaEKFj', 'VR7XBOUxXb'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, QSK4KUc4JILpZ3IpyRw.cs	High entropy of concatenated method names: 'VpqobrK9uA', 'rlVorSeCXt', 'G2oo1iR30C', 'NwRoZvZKd9', 'nCkonvFPUF', 'iYPo9ytsxA', 'kEco8oBvIe', 'ENGofls0qS', 'VPioAKXnss', 'gDvouoKYhp'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, uXWt4EzWmqvJcLS2dM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uiloM7MHuq', 'HRwoKmJojI', 'XHpo7RKDXT', 'x7Cot2jC8d', 'TRsokBIMEX', 'eG3oonQSXG', 'rLuoB7c2V9'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, grvkySDx2bMBUo2s1j.cs	High entropy of concatenated method names: 'Ii0tvRG7t9', 'KZft53SoFD', 'mJrkN6mqCr', 'APEkJDAwXq', 'vTOtEF0RNb', 't2rtDwfmRs', 'lSAtl1Vn71', 'oRIts0p6aB', 'NGbt6cqQcm', 's3AthSjkI6'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, GJJWFJkvd2VZBSbtjl.cs	High entropy of concatenated method names: 'jn8tCKY4Ck', 'EpitHys6B7', 'ToString', 'S40tqJnNbW', 'WettPrSuU5', 'Pa5tXD9rQB', 'mwitYiioBl', 'RnXtmwNDum', 'FTrtjtw5W8', 'd0ltU7gMUm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, A8gFw3myrZdLsbB0jH.cs	High entropy of concatenated method names: 'hGoKV6pOP2', 'sDTKD6DAZl', 'D4TKsanD9P', 'SasK63Llaa', 'WFxKLVIpSQ', 'MyXKwq2vTU', 'wNyKa0NaZX', 'etEKIpeQwt', 'A0jKFCyT2p', 'TCLKSLsBAh'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, mQ0RGZYiDcvttbn8xA.cs	High entropy of concatenated method names: 'l01MfqMb0E', 'qeHMA1vonM', 'ME5MOCN54K', 'mXbMLwjK0S', 'bAvMaMexpa', 'GqfMIdE1tK', 'TaHMSNopXT', 'x88Mi2sc0L', 'xoLMVWXQC5', 'zeBMEjCkaL'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, JtfGZgjgKQWLSBqGf3.cs	High entropy of concatenated method names: 'LbfmcoYk6u', 'MV4mPPCLnY', 'P5JmYVhp03', 'la1mjB4EAP', 'xMmmUGtyGI', 'rl5YRHNysM', 'c5OYxKt6JN', 'dbGYdNW8td', 'qmtYvMqXKX', 'frYYeddTyN'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, bTPDcirfT3DGP9qfd1.cs	High entropy of concatenated method names: 'yPwYn0ZEad', 'ckJY8sQgtx', 'X2EXw7jaGY', 'yqJXaRAPmK', 'WrNXIEehvy', 'tNsXFB1nT7', 'rpmXSEgCcO', 'Xt6XiBYCTH', 'xKBXppOemy', 'AEjXVowRsU'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.31d0000.0.raw.unpack, MDFNbnfWwmWjgD7ikE.cs	High entropy of concatenated method names: 'EZjjbluCTR', 'rcWjrtlD8U', 'ALDj1TjIys', 'zhyjZtkuHb', 'GCQjnFDD2h', 'KUsj9EVZR5', 'c0dj8Eynfa', 'HT6jfnLUrW', 'Jk7jAleOSw', 'z0hjudJV8m'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, YoSM6Wp2IrmhKrj3ZC.cs	High entropy of concatenated method names: 'EHpkOZGoim', 'WA1kLrXTxA', 'KAwkw91x1C', 'aXAkaIv7QY', 'oyaksa6BYE', 'ClbkI8eig4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, uVaeFkcPeaH3ocHSEv0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h3ABspXNn4', 'bprB6oEHSI', 'OOwBhWr7FM', 'qslB2At04s', 'JNlBRH3Aso', 'ylhBxsepID', 'LGOBdMLWa6'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, XIpVv9AC41Lf2l6L2Q.cs	High entropy of concatenated method names: 'buojqmtYbm', 'LlojXKNTWv', 'CUUjmU9wpL', 'idLm5VJxhU', 'p2mmzMhrcr', 'MqljNyE9lA', 'xePjJ4ybse', 'wTMj3qPZl1', 'sQxjy54DYA', 'DM0jTyba28'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, yR7kGq657qmGnh4tKL.cs	High entropy of concatenated method names: 'Dispose', 'rt7JecR04u', 'vPl3LjlNpq', 'Mya44ixB1G', 'TG4J5Nl5ID', 'ERhJzRwAix', 'ProcessDialogKey', 'ViF3NgEZAV', 'CAt3JRHo3Y', 'kbU337WtIm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, MYD0nFMdGQovafxJ7Z.cs	High entropy of concatenated method names: 'ToString', 'TXg7ENvWeS', 'dG17LdNH2W', 'RH17wjMabu', 'gVC7ar2iUl', 'fpt7INJBos', 'k7D7FOv6Zx', 'x0G7SN6d4H', 'UfC7iXNd2H', 'JiD7p8YshM'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, F6hFYiiBiVNM4n0oqc.cs	High entropy of concatenated method names: 'w0Pyco7jh7', 'nQMyqKQ0CB', 'JU3yPigGWy', 'fK2yX0Tmbq', 'L1OyYsdiWV', 'tUcymZSjEr', 'd9KyjFcQbs', 'mYvyUcW6O4', 'z7UyGZvsFt', 'cXcyChiKNm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, v1EZnFxqBBh6XGqBr0.cs	High entropy of concatenated method names: 'ga7JjlR6FY', 'bOqJU3jPNZ', 'HNAJC2px6b', 'exJJHlHYga', 'TLfJKV4JKO', 'hSPJ7Cx93G', 'K4CWXHXaqrx2gKV2CN', 'Kb7wV8IIRBUbVtH4nt', 'qfL18rE5SgLOYfGNeO', 'z68JJQ1JoN'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, ynG9sBnaZATAKmVTe7.cs	High entropy of concatenated method names: 'aK41hKnqs', 'gEiZ7GbsC', 'IhX9M8pPa', 'dJi8lPsuF', 'z9tAIhOVH', 'b8juMXYIt', 'jcnDVa0umTBv8BGfWG', 'aJ6Xhf27CApeSBSRRh', 'NL2kZUIWP', 'I7yBpceb2'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, bcqsqkytaUAL9e8ErJ.cs	High entropy of concatenated method names: 'SXkoJ5XlMN', 'CPMoyaxOBX', 'tBUoT5y3q9', 'yV6oqWBaS5', 'VG7oPi6Z88', 'ElPoYlRwDR', 'xHDomnhDYP', 'BTBkdRC1EA', 'AMrkv5qsnA', 'xUJket4wiQ'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, rDIp5G8onoljg2aKqn.cs	High entropy of concatenated method names: 'GyEPsNGmbc', 'AeKP60Dcmb', 'fIQPhkuffT', 'r8kP2QiRoi', 'IFOPRb9hr3', 'i8KPx6pawM', 'ab2PdaQLtM', 'uPrPvfrUkR', 'PEePey8bVA', 'yFhP5KOi9N'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, KJLWMFUAwl9EjQ3Nxn.cs	High entropy of concatenated method names: 'pPZkqFnMuO', 'gKtkPlZJyb', 'fyOkX3Ypin', 'WMOkYIcsRd', 'uD3km0phmX', 'srRkjXBgAq', 'dIKkUuJ25Y', 'TWtkGqLEyw', 'VASkCJDl12', 'IhCkHVp5fj'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, ySKAX7gAV1CMZRPs6r.cs	High entropy of concatenated method names: 'uTOXZij8dh', 'r4qX9kwnlq', 'MVWXfxGigI', 'RWUXAwx6wh', 'UvyXKw7iD5', 'fShX7Z91Y4', 'WdBXtLkiQ6', 'dD3XkrQfFf', 'u7yXoaEKFj', 'VR7XBOUxXb'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, QSK4KUc4JILpZ3IpyRw.cs	High entropy of concatenated method names: 'VpqobrK9uA', 'rlVorSeCXt', 'G2oo1iR30C', 'NwRoZvZKd9', 'nCkonvFPUF', 'iYPo9ytsxA', 'kEco8oBvIe', 'ENGofls0qS', 'VPioAKXnss', 'gDvouoKYhp'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, uXWt4EzWmqvJcLS2dM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uiloM7MHuq', 'HRwoKmJojI', 'XHpo7RKDXT', 'x7Cot2jC8d', 'TRsokBIMEX', 'eG3oonQSXG', 'rLuoB7c2V9'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, grvkySDx2bMBUo2s1j.cs	High entropy of concatenated method names: 'Ii0tvRG7t9', 'KZft53SoFD', 'mJrkN6mqCr', 'APEkJDAwXq', 'vTOtEF0RNb', 't2rtDwfmRs', 'lSAtl1Vn71', 'oRIts0p6aB', 'NGbt6cqQcm', 's3AthSjkI6'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, GJJWFJkvd2VZBSbtjl.cs	High entropy of concatenated method names: 'jn8tCKY4Ck', 'EpitHys6B7', 'ToString', 'S40tqJnNbW', 'WettPrSuU5', 'Pa5tXD9rQB', 'mwitYiioBl', 'RnXtmwNDum', 'FTrtjtw5W8', 'd0ltU7gMUm'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, A8gFw3myrZdLsbB0jH.cs	High entropy of concatenated method names: 'hGoKV6pOP2', 'sDTKD6DAZl', 'D4TKsanD9P', 'SasK63Llaa', 'WFxKLVIpSQ', 'MyXKwq2vTU', 'wNyKa0NaZX', 'etEKIpeQwt', 'A0jKFCyT2p', 'TCLKSLsBAh'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, mQ0RGZYiDcvttbn8xA.cs	High entropy of concatenated method names: 'l01MfqMb0E', 'qeHMA1vonM', 'ME5MOCN54K', 'mXbMLwjK0S', 'bAvMaMexpa', 'GqfMIdE1tK', 'TaHMSNopXT', 'x88Mi2sc0L', 'xoLMVWXQC5', 'zeBMEjCkaL'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, JtfGZgjgKQWLSBqGf3.cs	High entropy of concatenated method names: 'LbfmcoYk6u', 'MV4mPPCLnY', 'P5JmYVhp03', 'la1mjB4EAP', 'xMmmUGtyGI', 'rl5YRHNysM', 'c5OYxKt6JN', 'dbGYdNW8td', 'qmtYvMqXKX', 'frYYeddTyN'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, bTPDcirfT3DGP9qfd1.cs	High entropy of concatenated method names: 'yPwYn0ZEad', 'ckJY8sQgtx', 'X2EXw7jaGY', 'yqJXaRAPmK', 'WrNXIEehvy', 'tNsXFB1nT7', 'rpmXSEgCcO', 'Xt6XiBYCTH', 'xKBXppOemy', 'AEjXVowRsU'
Source: 0.2.RFQ 0400-ENPI-RQMA.exe.4ec4620.9.raw.unpack, MDFNbnfWwmWjgD7ikE.cs	High entropy of concatenated method names: 'EZjjbluCTR', 'rcWjrtlD8U', 'ALDj1TjIys', 'zhyjZtkuHb', 'GCQjnFDD2h', 'KUsj9EVZR5', 'c0dj8Eynfa', 'HT6jfnLUrW', 'Jk7jAleOSw', 'z0hjudJV8m'

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: 16A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: 9130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: A130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: A330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: B330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: B720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: C720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Memory allocated: D720000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\replace.exe	API coverage: 1.5 %

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe TID: 8056	Thread sleep time: -70000s >= -30000s			Jump to behavior

Source: KdcHSkcpIgYD.exe, 00000008.00000002.2897904330.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: replace.exe, 00000005.00000002.2175137923.0000000002B20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: NULL target: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RFQ 0400-ENPI-RQMA.exe	Section loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\qFgkKdcrcNUsYBUTPurGEnMHfMasRAlTboeKQkbdiNEZEXHgzpjLlVBNYWEKR\KdcHSkcpIgYD.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: KdcHSkcpIgYD.exe, 00000004.00000000.1853836603.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000002.2895817745.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000000.1995433621.0000000000E71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: KdcHSkcpIgYD.exe, 00000004.00000000.1853836603.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000002.2895817745.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000000.1995433621.0000000000E71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: KdcHSkcpIgYD.exe, 00000004.00000000.1853836603.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000002.2895817745.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000000.1995433621.0000000000E71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: KdcHSkcpIgYD.exe, 00000004.00000000.1853836603.00000000015A1000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000004.00000002.2895817745.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, KdcHSkcpIgYD.exe, 00000008.00000000.1995433621.0000000000E71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

ID:	1430324
Product:	CloudBasic
Start time:	14:22:05
Start date:	23.04.2024
Sample:	RFQ 0400-ENPI-RQMA.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	73b6e5a11aff9e7bd681b55136c5fbcf
SHA1:	d8113fa2bd2b2fa43f3920b93f9a5217b9cb69a2
SHA256:	3ca71ea7d01b1f1e3613781fcd68b47c09a159af5876c134065bef4d912917a6
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ 0400-ENPI-RQMA.exe.log	ASCII text, with CRLF line terminators	3978978DE913FD1C068312697D6E5917	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
C:\Users\user\AppData\Local\Temp\C3vB7APK	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3

Windows Analysis Report RFQ 0400-ENPI-RQMA.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
RFQ 0400-ENPI-RQMA.exe

Malware Threat Intel
Provided by