Loading ...

Play interactive tourEdit tour

Analysis Report NEW RFQ.exe

Overview

General Information

Sample Name:NEW RFQ.exe
Analysis ID:255485
MD5:2b3645fa1dba023aa4f7a32b84242839
SHA1:ff913e68785f4aab041c85fce1e039087fc09757
SHA256:a7879f81b9af693705fbbda07a1a2a5ebfdcccc7b1184f70fd6d3285da9f2f2d

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM_3
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW RFQ.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\NEW RFQ.exe' MD5: 2B3645FA1DBA023AA4F7A32B84242839)
    • NEW RFQ.exe (PID: 1756 cmdline: {path} MD5: 2B3645FA1DBA023AA4F7A32B84242839)
    • NEW RFQ.exe (PID: 5096 cmdline: {path} MD5: 2B3645FA1DBA023AA4F7A32B84242839)
  • YYtJku.exe (PID: 1640 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 2B3645FA1DBA023AA4F7A32B84242839)
    • YYtJku.exe (PID: 4800 cmdline: {path} MD5: 2B3645FA1DBA023AA4F7A32B84242839)
  • YYtJku.exe (PID: 792 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 2B3645FA1DBA023AA4F7A32B84242839)
    • YYtJku.exe (PID: 6600 cmdline: {path} MD5: 2B3645FA1DBA023AA4F7A32B84242839)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "iCXwxYYr7", "URL: ": "https://AXtxDU5WDMRP39.com", "To: ": "", "ByHost: ": "mail.flsrnidth.com:587", "Password: ": "QbDosgsk", "From: ": ""}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
NEW RFQ.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.277748117.0000000000212000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3c069:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.538720811.0000000000F22000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3c069:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000D.00000002.538707802.00000000009E2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3c069:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.270182973.0000000000252000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x3c069:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.541382140.00000000032EA000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Click to see the 36 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    14.2.YYtJku.exe.a80000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    11.0.YYtJku.exe.680000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    1.0.NEW RFQ.exe.210000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    13.0.YYtJku.exe.9e0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    15.0.YYtJku.exe.530000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x3c269:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 12 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: NEW RFQ.exe.5096.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "iCXwxYYr7", "URL: ": "https://AXtxDU5WDMRP39.com", "To: ": "", "ByHost: ": "mail.flsrnidth.com:587", "Password: ": "QbDosgsk", "From: ": ""}
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: NEW RFQ.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_077E260D
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h11_2_077E2004
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h11_2_077E5FE0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h11_2_077E5FDE
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-24h]11_2_077E2E10
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh11_2_077E2E10
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-24h]11_2_077E2E04
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh11_2_077E2E04
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then xor edx, edx11_2_077E2D48
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then xor edx, edx11_2_077E2D3D
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-20h]11_2_077E2AF0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh11_2_077E2AF0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-20h]11_2_077E2AEE
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh11_2_077E2AEE
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-20h]11_2_077E2AE7
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh11_2_077E2AE7
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_07D02613
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h14_2_07D02004
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h14_2_07D05FDB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h14_2_07D05FE0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-24h]14_2_07D02E10
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_07D02E10
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-24h]14_2_07D02E04
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_07D02E04
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then xor edx, edx14_2_07D02D48
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then xor edx, edx14_2_07D02D3D
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-20h]14_2_07D02AF0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_07D02AF0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then push dword ptr [ebp-20h]14_2_07D02AEE
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh14_2_07D02AEE
    Source: global trafficTCP traffic: 192.168.2.6:49757 -> 167.114.220.88:587
    Source: global trafficTCP traffic: 192.168.2.6:49757 -> 167.114.220.88:587
    Source: unknownDNS traffic detected: queries for: g.msn.com
    Source: NEW RFQ.exe, 00000002.00000002.547690524.00000000069D0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/root
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
    Source: NEW RFQ.exe, 00000002.00000002.547690524.00000000069D0000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.leO
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
    Source: YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.542752323.0000000002F4A000.00000004.00000001.sdmpString found in binary or memory: http://flsrnidth.com
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.542752323.0000000002F4A000.00000004.00000001.sdmpString found in binary or memory: http://mail.flsrnidth.com
    Source: NEW RFQ.exe, 00000002.00000002.547690524.00000000069D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypR
    Source: NEW RFQ.exe, 00000002.00000002.542284829.0000000003412000.00000004.00000001.sdmp, YYtJku.exe, 0000000D.00000002.547762195.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
    Source: YYtJku.exe, 0000000D.00000002.542260297.0000000002E26000.00000004.00000001.sdmpString found in binary or memory: https://AXtxDU5WDMRP39.com
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C7033C NtQueryInformationProcess,0_2_00C7033C
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C770CC NtQueryInformationProcess,0_2_00C770CC
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C7031A NtQueryInformationProcess,0_2_00C7031A
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E033C NtQueryInformationProcess,11_2_010E033C
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E031A NtQueryInformationProcess,11_2_010E031A
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA033C NtQueryInformationProcess,14_2_02DA033C
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA031A NtQueryInformationProcess,OutputDebugStringW,14_2_02DA031A
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA70CB NtQueryInformationProcess,14_2_02DA70CB
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C720880_2_00C72088
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C758300_2_00C75830
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C704700_2_00C70470
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C795A80_2_00C795A8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C716E80_2_00C716E8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C7A7980_2_00C7A798
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C70F580_2_00C70F58
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C7E0F00_2_00C7E0F0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C751E80_2_00C751E8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C751F80_2_00C751F8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C74AF90_2_00C74AF9
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C79A490_2_00C79A49
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C79A580_2_00C79A58
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C753890_2_00C75389
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C753980_2_00C75398
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C71B580_2_00C71B58
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C74B080_2_00C74B08
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C7342D0_2_00C7342D
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C77DF60_2_00C77DF6
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C74DF90_2_00C74DF9
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C77DF80_2_00C77DF8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C795990_2_00C79599
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C70EC90_2_00C70EC9
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C756010_2_00C75601
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C756100_2_00C75610
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C767F80_2_00C767F8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C767A00_2_00C767A0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025120100_2_02512010
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025142C80_2_025142C8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025145280_2_02514528
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025115B80_2_025115B8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025111A00_2_025111A0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_02515A580_2_02515A58
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025100400_2_02510040
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025100150_2_02510015
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025120010_2_02512001
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025142C20_2_025142C2
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025158F90_2_025158F9
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_0251451D0_2_0251451D
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025125000_2_02512500
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025127200_2_02512720
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_02513FF80_2_02513FF8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_02510FFB0_2_02510FFB
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_02513FEA0_2_02513FEA
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025115A90_2_025115A9
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C07C02_2_030C07C0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C04482_2_030C0448
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C24942_2_030C2494
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C8A802_2_030C8A80
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C36802_2_030C3680
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C43732_2_030C4373
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C07B02_2_030C07B0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C04202_2_030C0420
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C24882_2_030C2488
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C8A712_2_030C8A71
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030CC9522_2_030CC952
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C36702_2_030C3670
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C35902_2_030C3590
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C7B292_2_030C7B29
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C7F4A2_2_030C7F4A
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C7FF92_2_030C7FF9
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069014D02_2_069014D0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690A2D82_2_0690A2D8
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069092402_2_06909240
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069032782_2_06903278
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690B3E02_2_0690B3E0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_06900D982_2_06900D98
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_06907D102_2_06907D10
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069019B02_2_069019B0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690C9362_2_0690C936
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069077F42_2_069077F4
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069074902_2_06907490
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069014C02_2_069014C0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069084592_2_06908459
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069064752_2_06906475
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069074682_2_06907468
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069084682_2_06908468
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069022B02_2_069022B0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069022C02_2_069022C0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069032682_2_06903268
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690B3D12_2_0690B3D1
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069010002_2_06901000
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069070502_2_06907050
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690D1892_2_0690D189
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_06907D012_2_06907D01
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_06908A9D2_2_06908A9D
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069028882_2_06902888
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069028792_2_06902879
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069019A02_2_069019A0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069079CE2_2_069079CE
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069029052_2_06902905
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069059702_2_06905970
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E583011_2_010E5830
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E208811_2_010E2088
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E047011_2_010E0470
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E970011_2_010E9700
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E0F5811_2_010E0F58
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010EA78011_2_010EA780
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E16E811_2_010E16E8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E51F811_2_010E51F8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010EE0D811_2_010EE0D8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E4B0811_2_010E4B08
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E1B5811_2_010E1B58
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E539811_2_010E5398
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E9BA211_2_010E9BA2
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E9BB011_2_010E9BB0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E4AF911_2_010E4AF9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E7DEA11_2_010E7DEA
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E7DF811_2_010E7DF8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E4DF911_2_010E4DF9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E340811_2_010E3408
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E67F811_2_010E67F8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E560111_2_010E5601
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E561011_2_010E5610
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E0ECA11_2_010E0ECA
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA42C311_2_02AA42C3
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA24F011_2_02AA24F0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA11A011_2_02AA11A0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA15B811_2_02AA15B8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA1DF011_2_02AA1DF0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA452811_2_02AA4528
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA3FEB11_2_02AA3FEB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA58F911_2_02AA58F9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA001511_2_02AA0015
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA004011_2_02AA0040
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA15A911_2_02AA15A9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA119011_2_02AA1190
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA451D11_2_02AA451D
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E76A811_2_077E76A8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E451011_2_077E4510
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E35C811_2_077E35C8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E35B811_2_077E35B8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EB5B811_2_077EB5B8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EB40011_2_077EB400
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E633111_2_077E6331
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EF31811_2_077EF318
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EB3F011_2_077EB3F0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E62F911_2_077E62F9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E808E11_2_077E808E
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E8F3811_2_077E8F38
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E8F3611_2_077E8F36
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E6F1811_2_077E6F18
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E6F1711_2_077E6F17
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EAF9811_2_077EAF98
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EAF8811_2_077EAF88
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E4DE111_2_077E4DE1
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E7B7911_2_077E7B79
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E9B9011_2_077E9B90
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EA91011_2_077EA910
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077EA88011_2_077EA880
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135044813_2_01350448
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135249413_2_01352494
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_013507C013_2_013507C0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_01358A8013_2_01358A80
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135368013_2_01353680
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135437213_2_01354372
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135042013_2_01350420
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135248813_2_01352488
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135C95213_2_0135C952
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_01358A7113_2_01358A71
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_0135363013_2_01353630
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_01357B2913_2_01357B29
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_01357F4A13_2_01357F4A
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_01357FF913_2_01357FF9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_063C440813_2_063C4408
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_063C848013_2_063C8480
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_063C14E813_2_063C14E8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_063C329013_2_063C3290
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_063CA2F013_2_063CA2F0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA208814_2_02DA2088
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA583014_2_02DA5830
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA16E814_2_02DA16E8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA0F5814_2_02DA0F58
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA970014_2_02DA9700
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA047014_2_02DA0470
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA4AF914_2_02DA4AF9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA539814_2_02DA5398
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA538914_2_02DA5389
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA9BB014_2_02DA9BB0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA9BA314_2_02DA9BA3
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA1B5814_2_02DA1B58
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA4B0814_2_02DA4B08
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DAE0D814_2_02DAE0D8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA51F814_2_02DA51F8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA51E814_2_02DA51E8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA0EC914_2_02DA0EC9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA96F114_2_02DA96F1
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA561014_2_02DA5610
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA560114_2_02DA5601
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA67F814_2_02DA67F8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA67A014_2_02DA67A0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA342D14_2_02DA342D
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA7DF814_2_02DA7DF8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA4DF914_2_02DA4DF9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_02DA7DEB14_2_02DA7DEB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4200114_2_04F42001
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F415B814_2_04F415B8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F411A014_2_04F411A0
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4452814_2_04F44528
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F442C314_2_04F442C3
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F458F914_2_04F458F9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4004014_2_04F40040
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4003B14_2_04F4003B
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F415B314_2_04F415B3
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4119B14_2_04F4119B
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4452314_2_04F44523
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F43FF314_2_04F43FF3
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_04F4271314_2_04F42713
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D076AB14_2_07D076AB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D035C314_2_07D035C3
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D035C814_2_07D035C8
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0B5B914_2_07D0B5B9
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0451014_2_07D04510
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0B40014_2_07D0B400
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0B3FB14_2_07D0B3FB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0F31814_2_07D0F318
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0633314_2_07D06333
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D062FB14_2_07D062FB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0C0EB14_2_07D0C0EB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0808314_2_07D08083
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0AF9814_2_07D0AF98
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0AF8814_2_07D0AF88
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D06F1814_2_07D06F18
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D08F3614_2_07D08F36
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D08F3814_2_07D08F38
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D08EE114_2_07D08EE1
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D04DEB14_2_07D04DEB
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D09B9B14_2_07D09B9B
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D07B7B14_2_07D07B7B
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0A91014_2_07D0A910
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_07D0A90B14_2_07D0A90B
    Source: NEW RFQ.exe, 00000000.00000002.282109986.0000000002D47000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaAWgYgwZmPUHFWPjEssO.exe4 vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000000.00000002.279321335.0000000000308000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNaoNt.exe. vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000000.00000002.286490551.0000000007980000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000000.00000002.280311670.0000000002691000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000001.00000000.277838893.00000000002C8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNaoNt.exe. vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.539107048.0000000001367000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.546314466.0000000005A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.547148112.00000000068A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.547398548.0000000006910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.547179905.00000000068B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.538990988.0000000000FD8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNaoNt.exe. vs NEW RFQ.exe
    Source: NEW RFQ.exe, 00000002.00000002.538444534.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameaAWgYgwZmPUHFWPjEssO.exe4 vs NEW RFQ.exe
    Source: NEW RFQ.exeBinary or memory string: OriginalFilenameNaoNt.exe. vs NEW RFQ.exe
    Source: NEW RFQ.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000000.277748117.0000000000212000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000002.538720811.0000000000F22000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000D.00000002.538707802.00000000009E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000000.270182973.0000000000252000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000002.277954782.0000000000212000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000E.00000000.362196222.0000000000A82000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000000.278683494.0000000000F22000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000D.00000000.356501398.00000000009E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000F.00000002.390982188.0000000000532000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000F.00000000.376900700.0000000000532000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.279209787.0000000000252000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000B.00000002.357120733.0000000000682000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000B.00000000.346365571.0000000000682000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0000000E.00000002.378346662.0000000000A82000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: NEW RFQ.exe PID: 5096, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: YYtJku.exe PID: 792, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: YYtJku.exe PID: 6600, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: YYtJku.exe PID: 4800, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: YYtJku.exe PID: 1640, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: NEW RFQ.exe PID: 1756, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: NEW RFQ.exe PID: 7164, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 14.2.YYtJku.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 11.0.YYtJku.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.0.NEW RFQ.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 13.0.YYtJku.exe.9e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 15.0.YYtJku.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.0.NEW RFQ.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 2.0.NEW RFQ.exe.f20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 13.2.YYtJku.exe.9e0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 14.0.YYtJku.exe.a80000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.2.NEW RFQ.exe.210000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 11.2.YYtJku.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 2.2.NEW RFQ.exe.f20000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.2.NEW RFQ.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 15.2.YYtJku.exe.530000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: NEW RFQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: YYtJku.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: NEW RFQ.exe, 00000000.00000002.280311670.0000000002691000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.360146474.0000000002C01000.00000004.00000001.sdmp, YYtJku.exe, 0000000E.00000002.379827908.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: Databricks.sln
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@5/2
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW RFQ.exe.logJump to behavior
    Source: NEW RFQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\NEW RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\NEW RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\NEW RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile read: C:\Users\user\Desktop\NEW RFQ.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\NEW RFQ.exe 'C:\Users\user\Desktop\NEW RFQ.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\NEW RFQ.exe {path}
    Source: unknownProcess created: C:\Users\user\Desktop\NEW RFQ.exe {path}
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess created: C:\Users\user\Desktop\NEW RFQ.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess created: C:\Users\user\Desktop\NEW RFQ.exe {path}Jump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}Jump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: NEW RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: NEW RFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00252501 push cs; ret 0_2_00252524
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00257046 push edi; retf 0_2_00257054
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00255EB3 push ebx; iretd 0_2_00255EB4
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_00C78912 push edi; retf 0_2_00C78917
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 0_2_025142BA push eax; retf 0_2_025142BD
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 1_2_00212501 push cs; ret 1_2_00212524
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 1_2_00217046 push edi; retf 1_2_00217054
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 1_2_00215EB3 push ebx; iretd 1_2_00215EB4
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_00F25EB3 push ebx; iretd 2_2_00F25EB4
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_00F27046 push edi; retf 2_2_00F27054
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_00F22501 push cs; ret 2_2_00F22524
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030C421B push eax; iretd 2_2_030C41A7
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030CA7E8 push FFFFFFE8h; retf 2_2_030CA801
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_030CA860 push FFFFFFE8h; retf 2_2_030CA801
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690735D push es; iretd 2_2_06907384
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_069040D5 push es; iretd 2_2_06904110
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690CCA0 push es; ret 2_2_0690CCB0
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690DD43 push es; ret 2_2_0690DD54
    Source: C:\Users\user\Desktop\NEW RFQ.exeCode function: 2_2_0690D88B push 8BFFFFFFh; iretd 2_2_0690D890
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_00687046 push edi; retf 11_2_00687054
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_00682501 push cs; ret 11_2_00682524
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_00685EB3 push ebx; iretd 11_2_00685EB4
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_010E874A push edi; retf 11_2_010E874F
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_02AA42BB push eax; retf 11_2_02AA42BD
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E661E push ds; retf 11_2_077E661F
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 11_2_077E6DDC pushad ; ret 11_2_077E6DDD
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_009E5EB3 push ebx; iretd 13_2_009E5EB4
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_009E2501 push cs; ret 13_2_009E2524
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 13_2_009E7046 push edi; retf 13_2_009E7054
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_00A85EB3 push ebx; iretd 14_2_00A85EB4
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 14_2_00A82501 push cs; ret 14_2_00A82524
    Source: initial sampleStatic PE information: section name: .text entropy: 7.51570446474
    Source: initial sampleStatic PE information: section name: .text entropy: 7.51570446474
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJump to dropped file
    Source: C:\Users\user\Desktop\NEW RFQ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\NEW RFQ.exeFile opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | deleteJump to behavior
    Moves itself to temp directoryShow sources
    Source: c:\users\user\desktop\new rfq.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG790.tmpJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\NEW RFQ.exeProcess information set: NOOPENFILEERRORB