Windows Analysis Report RFQ_ 21072021.exe

Overview

General Information

Sample Name:	RFQ_ 21072021.exe
Analysis ID:	452459
MD5:	0a74cbd4246a6e11077876c572a3d507
SHA1:	0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
SHA256:	4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}

Multi AV Scanner detection for submitted file

Source: RFQ_ 21072021.exe	Virustotal: Detection: 30%			Perma Link
Source: RFQ_ 21072021.exe	ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: RFQ_ 21072021.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: RFQ_ 21072021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: RFQ_ 21072021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 188.93.227.195 188.93.227.195

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587

Source: unknown

DNS traffic detected: queries for: mail.tccinfaes.com

Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RFQ_ 21072021.exe, 00000005.00000002.473275358.00000000034E4000.00000004.00000001.sdmp	String found in binary or memory: http://TryUj9XyxT6LakY.org
Source: RFQ_ 21072021.exe	String found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://mail.tccinfaes.com
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0)
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://tccinfaes.com
Source: RFQ_ 21072021.exe	String found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: http://xmALXm.com
Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8EE18770u002dEECEu002d4ADFu002d9E9Eu002d074DF25730B2u007d/u00311D6105Cu002dDC1Du002d4AAAu002d8C1Bu002dC3E13237EBD4.cs

Large array initialization: .cctor: array initializer size 11960

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_014FC898	5_2_014FC898
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_014F2B98	5_2_014F2B98
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_014F55E0	5_2_014F55E0
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_014F8690	5_2_014F8690
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_014F0B10	5_2_014F0B10
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_014F2B84	5_2_014F2B84
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_015A47A0	5_2_015A47A0
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_015A3E4A	5_2_015A3E4A
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_015A4752	5_2_015A4752
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_015A4790	5_2_015A4790
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Code function: 5_2_015AD661	5_2_015AD661

PE file contains strange resources

Source: RFQ_ 21072021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: RFQ_ 21072021.exe, 00000000.00000000.200067110.00000000005DA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000002.470604186.00000000015CA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000002.470440078.0000000001500000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamegzwcjkfsADBjJOEQlRwAtFYMhaFmnBBLEezh.exe4 vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000000.251584660.0000000000E5A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000002.468933088.0000000000FA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe, 00000005.00000002.469162239.00000000012F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ_ 21072021.exe
Source: RFQ_ 21072021.exe	Binary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe

Uses 32bit PE files

Source: RFQ_ 21072021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: RFQ_ 21072021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_ 21072021.exe.log

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_ 21072021.exe 'C:\Users\user\Desktop\RFQ_ 21072021.exe'
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe	Jump to behavior

Source: RFQ_ 21072021.exe, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
Source: RFQ_ 21072021.exe, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
Source: RFQ_ 21072021.exe, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
Source: RFQ_ 21072021.exe, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.cs	High entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
Source: RFQ_ 21072021.exe, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
Source: RFQ_ 21072021.exe, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
Source: RFQ_ 21072021.exe, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.cs	High entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
Source: RFQ_ 21072021.exe, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.cs	High entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	High entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
Source: RFQ_ 21072021.exe, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
Source: RFQ_ 21072021.exe, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.cs	High entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
Source: RFQ_ 21072021.exe, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.cs	High entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
Source: RFQ_ 21072021.exe, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.cs	High entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
Source: RFQ_ 21072021.exe, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
Source: RFQ_ 21072021.exe, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.cs	High entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.cs	High entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.cs	High entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.cs	High entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	High entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.cs	High entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.cs	High entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.cs	High entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.cs	High entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.cs	High entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.cs	High entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.cs	High entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.cs	High entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.cs	High entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	High entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.cs	High entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.cs	High entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.cs	High entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.cs	High entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.cs	High entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.cs	High entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.cs	High entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.cs	High entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.cs	High entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.cs	High entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Window / User API: threadDelayed 968			Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Window / User API: threadDelayed 8887			Jump to behavior

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 4872	Thread sleep time: -45897s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 1492	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412	Thread sleep count: 968 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412	Thread sleep count: 8887 > 30	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Thread delayed: delay time: 45897	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RFQ_ 21072021.exe	Binary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD\|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg\|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e\|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RFQ_ 21072021.exe, 00000005.00000002.470729166.000000000166F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA=q
Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: Yara match	File source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\RFQ_ 21072021.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY

Name	IP	Active
tccinfaes.com	188.93.227.195	true
mail.tccinfaes.com	unknown	unknown

ID:	452459
Product:	CloudBasic
Start time:	12:00:04
Start date:	22.07.2021
Sample:	RFQ_ 21072021.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0a74cbd4246a6e11077876c572a3d507
SHA1:	0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
SHA256:	4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Windows Analysis Report RFQ_ 21072021.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains