Loading ...

Play interactive tourEdit tour

Windows Analysis Report ASGT(Al Sahoo General Trading) - RFQ.exe

Overview

General Information

Sample Name:ASGT(Al Sahoo General Trading) - RFQ.exe
Analysis ID:483055
MD5:f981ae4dae49248c03dd86b5508ec434
SHA1:680901b0a898a68ff04cbaafb851e28294d06d03
SHA256:ef45c55d9b3fd183f6c9b4e0359005fa6052fa4155de07129b839056b7cc26e9
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Sigma detected: PowerShell Script Run in AppData

Classification

Process Tree

  • System is w10x64
  • ASGT(Al Sahoo General Trading) - RFQ.exe (PID: 6864 cmdline: 'C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe' MD5: F981AE4DAE49248C03DD86B5508EC434)
    • powershell.exe (PID: 7012 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 5352 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6648 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5352 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • AdvancedRun.exe (PID: 6952 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5316 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6952 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x59eb:$x2: NanoCore.ClientPluginHost
  • 0x6941:$s3: PipeExists
  • 0x5be1:$s4: PipeCreated
  • 0x5a05:$s5: IClientLoggingHost
00000018.00000002.634473391.00000000056B0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000018.00000002.634473391.00000000056B0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000018.00000002.638232760.00000000069D0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
Click to see the 48 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.56b0000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.56b0000.15.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x6da5:$x1: NanoCore.ClientPluginHost
  • 0x6dd2:$x2: IClientNetworkHost
24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.2ed1d4c.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x6da5:$x2: NanoCore.ClientPluginHost
  • 0x7d74:$s2: FileCommand
  • 0xc776:$s4: PipeCreated
  • 0x6dbf:$s5: IClientLoggingHost
24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x2dbb:$x1: NanoCore.ClientPluginHost
  • 0x2de5:$x2: IClientNetworkHost
Click to see the 128 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Powershell Used To Disable Windows Defender AV Security MonitoringShow sources
Source: Process startedAuthor: ok @securonix invrep-de, oscd.community, frack113: Data: Command: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run, CommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run, CommandLine|base64offset|contains: E)^, Image: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, ParentCommandLine: 'C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe' , ParentImage: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe, ParentProcessId: 6864, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run, ProcessId: 5352
Sigma detected: PowerShell Script Run in AppDataShow sources
Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run, CommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run, CommandLine|base64offset|contains: E)^, Image: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, ParentCommandLine: 'C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe' , ParentImage: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe, ParentProcessId: 6864, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run, ProcessId: 6952
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, CommandLine|base64offset|contains: Jy, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe' , ParentImage: C:\Users\user\Desktop\ASGT(Al Sahoo General Trading) - RFQ.exe, ParentProcessId: 6864, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Start-Sleep -s 20, ProcessId: 7012
Sigma detected: T1086 PowerShell ExecutionShow sources
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132761252930863016.7012.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: ASGT(Al Sahoo General Trading) - RFQ.exeVirustotal: Detection: 34%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exeVirustotal: Detection: 34%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exeVirustotal: Detection: 34%Perma Link
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d4629.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40cdca8.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e4e5cf.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.40f5cc8.10.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e581d4.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3e49930.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.ASGT(Al Sahoo General Trading) - RFQ.exe.4145ce8.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fbbf69.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fc819d.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.3fdc7ca.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.632241013.0000000003E41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.621578640.0000000004145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.634690385.00000000057D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.621361246.0000000004009000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000018.00000002.625215508.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.621456573.00000000040A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6864, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: ASGT(Al Sahoo General Trading) - RFQ.exe PID: 6928, type: MEMORYSTR
Machine Learning detection for sampleShow sources
Source: ASGT(Al Sahoo General Trading) - RFQ.exeJoe Sandbox ML: detected
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ASGT(Al Sahoo General Trading) - RFQ.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\myxpcstart.exeJoe Sandbox ML: detected
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.57d0000.17.unpackAvira: Label: TR/NanoCore.fadte
Source: 24.2.ASGT(Al Sahoo General Trading) - RFQ.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: ASGT(Al Sahoo General Trading) - RFQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: ASGT(Al Sahoo General Trading) - RFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000010.00000000.552112608.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000013.00000000.579886617.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000014.00000002.609357349.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.606662276.000000000040C000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.638149839.00000000069B0000.00000004.00020000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256/ source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.632660357.0000000003F0C000.00000004.00000001.sdmp
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000002.621941365.00000000042A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000017.00000002.615423389.00000000001C2000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000018.00000002.625554370.0000000000A62000.00000002.00020000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ASGT(Al Sahoo General Trading) - RFQ.exe, 00000000.00000000.351721337.0000000000C72000.00000002.00020000.sdmp, ASGT(Al Sahoo General Trading) - RFQ.exe, 00000016.00000002.613801110.0000000000042000.