Windows Analysis Report
RFQ__637456464647.exe

Overview

General Information

Sample Name:	RFQ__637456464647.exe
Analysis ID:	632544
MD5:	b4bc907e8d48e8f09b4d9fdd8d416599
SHA1:	592a814a428c8a5de3f06245996fc775e8dc987f
SHA256:	7f7804a5460695dae61e378d733f0a613083e84c654ea6264a5276944b33f943
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Yara detected Credential Stealer

Uses the system / local time for branch decision (may execute only at specific dates)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Checks if the current process is being debugged

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "Null!", "Telegram ID": "5164987354:AAFbwY5baNRyoCilWU25jL6nSQnU8yn8vuc"}

Multi AV Scanner detection for submitted file

Source: RFQ__637456464647.exe

ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: RFQ__637456464647.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.RFQ__637456464647.exe.400000.12.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.RFQ__637456464647.exe.400000.6.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack	Avira: Label: TR/ATRAPS.Gen

Uses 32bit PE files

Source: RFQ__637456464647.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RFQ__637456464647.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: System.Windows.Forms.pdb source: WER7284.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7284.tmp.dmp.13.dr
Source:	Binary string: k,C:\Windows\System.pdb source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER7284.tmp.dmp.13.dr
Source:	Binary string: System.Windows.Forms.pdbxT source: WER7284.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
Source:	Binary string: 7.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER7284.tmp.dmp.13.dr
Source:	Binary string: .pdb, source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7284.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
Source:	Binary string: System.pdbP>Q source: WER7284.tmp.dmp.13.dr
Source:	Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB6 source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER7284.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7284.tmp.dmp.13.dr
Source:	Binary string: chrome.exe.pdb source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr
Source:	Binary string: System.Core.ni.pdb source: WER7284.tmp.dmp.13.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 054D0741h	1_2_054D0498
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 054D02E9h	1_2_054D0040
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 054D0B99h	1_2_054D08F0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648E0A9h	1_2_0648DE00
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 064848D1h	1_2_06484628
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06485181h	1_2_06484ED8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648E981h	1_2_0648E6D8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06488149h	1_2_06487EA0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 064889F9h	1_2_06488750
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06485A31h	1_2_06485788
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648F231h	1_2_0648EF88
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06483771h	1_2_064834C8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06486739h	1_2_06486490
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06486FE9h	1_2_06486D40
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06484021h	1_2_06483D78
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06487899h	1_2_064875F0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06487CF1h	1_2_06487A48
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 064885A1h	1_2_064882F8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06484D29h	1_2_06484A80
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648E529h	1_2_0648E280
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 064855D9h	1_2_06485330
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648EDD9h	1_2_0648EB30
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06485E89h	1_2_06485BE0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648F689h	1_2_0648F3E0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06483319h	1_2_06483070
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 064862E1h	1_2_06486038
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 0648FAE1h	1_2_0648F838
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06486B91h	1_2_064868E8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06483BC9h	1_2_06483920
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06484479h	1_2_064841D0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then jmp 06487441h	1_2_06487198
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_0648C336
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_0648C00F
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_0648C020

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49740 -> 132.226.8.169:80

Yara detected Generic Downloader

Source: Yara match	File source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UTMEMUS UTMEMUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4Jk
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: chrome.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RFQ__637456464647.exe	String found in binary or memory: http://sawebservice.red-gate.com/
Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RFQ__637456464647.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
Source: RFQ__637456464647.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
Source: RFQ__637456464647.exe	String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
Source: RFQ__637456464647.exe	String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: RFQ__637456464647.exe	String found in binary or memory: https://dsssdsa.fa
Source: RFQ__637456464647.exe	String found in binary or memory: https://dsssdsa.fa)Uri

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Creates a DirectInput object (often for capturing keystrokes)

Source: RFQ__637456464647.exe, 00000000.00000002.316474597.000000000174A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Uses 32bit PE files

Source: RFQ__637456464647.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

One or more processes crash

Source: C:\Users\user\Desktop\RFQ__637456464647.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D0498	1_2_054D0498
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D0040	1_2_054D0040
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D4318	1_2_054D4318
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D2398	1_2_054D2398
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D4FB0	1_2_054D4FB0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D4968	1_2_054D4968
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D29E0	1_2_054D29E0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D08F0	1_2_054D08F0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D3678	1_2_054D3678
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D16F8	1_2_054D16F8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D3028	1_2_054D3028
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D1D48	1_2_054D1D48
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D3CC8	1_2_054D3CC8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D0493	1_2_054D0493
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D0016	1_2_054D0016
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D430A	1_2_054D430A
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D2388	1_2_054D2388
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D4F9F	1_2_054D4F9F
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D4959	1_2_054D4959
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D29CF	1_2_054D29CF
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D08E0	1_2_054D08E0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D3668	1_2_054D3668
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D16EA	1_2_054D16EA
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D3018	1_2_054D3018
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D1D38	1_2_054D1D38
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_054D3CB9	1_2_054D3CB9
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648DE00	1_2_0648DE00
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06484628	1_2_06484628
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06484ED8	1_2_06484ED8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648E6D8	1_2_0648E6D8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06487EA0	1_2_06487EA0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06488750	1_2_06488750
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648B770	1_2_0648B770
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06485788	1_2_06485788
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648EF88	1_2_0648EF88
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064834C8	1_2_064834C8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06486490	1_2_06486490
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06486D40	1_2_06486D40
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06483D78	1_2_06483D78
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064875F0	1_2_064875F0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06487A48	1_2_06487A48
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064882F8	1_2_064882F8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06484A80	1_2_06484A80
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648E280	1_2_0648E280
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06485330	1_2_06485330
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648EB30	1_2_0648EB30
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06485BE0	1_2_06485BE0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648F3E0	1_2_0648F3E0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648C398	1_2_0648C398
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06488BA8	1_2_06488BA8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06480040	1_2_06480040
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06483070	1_2_06483070
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06486038	1_2_06486038
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648F838	1_2_0648F838
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064868E8	1_2_064868E8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648D098	1_2_0648D098
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06483920	1_2_06483920
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064841D0	1_2_064841D0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06487198	1_2_06487198
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06484621	1_2_06484621
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06484EC8	1_2_06484EC8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648E6C8	1_2_0648E6C8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648B6C9	1_2_0648B6C9
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06487E90	1_2_06487E90
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06488741	1_2_06488741
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06485778	1_2_06485778
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648EF79	1_2_0648EF79
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06486483	1_2_06486483
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064834B8	1_2_064834B8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06483D68	1_2_06483D68
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06486D37	1_2_06486D37
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064875E0	1_2_064875E0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648DDF0	1_2_0648DDF0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06484A70	1_2_06484A70
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648E271	1_2_0648E271
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06487A3B	1_2_06487A3B
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064882E8	1_2_064882E8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648EB20	1_2_0648EB20
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06485321	1_2_06485321
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06485BD0	1_2_06485BD0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648F3D0	1_2_0648F3D0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06483063	1_2_06483063
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648C00F	1_2_0648C00F
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648F828	1_2_0648F828
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648602F	1_2_0648602F
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_0648C020	1_2_0648C020
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06480033	1_2_06480033
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064868D8	1_2_064868D8
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06483910	1_2_06483910
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_064841C0	1_2_064841C0
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Code function: 1_2_06487188	1_2_06487188
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B761E0	5_2_00007FF7A8B761E0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B76A10	5_2_00007FF7A8B76A10
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B67160	5_2_00007FF7A8B67160
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B5B170	5_2_00007FF7A8B5B170
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B13980	5_2_00007FF7A8B13980
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B3B220	5_2_00007FF7A8B3B220
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AADA80	5_2_00007FF7A8AADA80
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B993DC	5_2_00007FF7A8B993DC
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8A76BA0	5_2_00007FF7A8A76BA0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8A74B50	5_2_00007FF7A8A74B50
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B5DB20	5_2_00007FF7A8B5DB20
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8BE1CE0	5_2_00007FF7A8BE1CE0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AAE4B0	5_2_00007FF7A8AAE4B0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B3DC90	5_2_00007FF7A8B3DC90
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8A76C80	5_2_00007FF7A8A76C80
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B395A0	5_2_00007FF7A8B395A0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B665D0	5_2_00007FF7A8B665D0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AA4540	5_2_00007FF7A8AA4540
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AB0540	5_2_00007FF7A8AB0540
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8A75D90	5_2_00007FF7A8A75D90
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8C05550	5_2_00007FF7A8C05550
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8A77D60	5_2_00007FF7A8A77D60
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AB96A0	5_2_00007FF7A8AB96A0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8C0CEC0	5_2_00007FF7A8C0CEC0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B5A630	5_2_00007FF7A8B5A630
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B5AFE0	5_2_00007FF7A8B5AFE0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B65FA0	5_2_00007FF7A8B65FA0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AE9780	5_2_00007FF7A8AE9780
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B3E8B0	5_2_00007FF7A8B3E8B0
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8AC60E0	5_2_00007FF7A8AC60E0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: String function: 00007FF7A8A9AED0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: String function: 00007FF7A8BBD690 appears 39 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\RFQ__637456464647.exe

Code function: 0_2_01722F68 CreateProcessAsUserA,

0_2_01722F68

Sample file is different than original file name gathered from version info

Source: RFQ__637456464647.exe	Binary or memory string: OriginalFilename vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000000.292339706.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000002.316474597.000000000174A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000000.298522029.000000000174A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe	Binary or memory string: OriginalFilename vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000001.00000000.267745770.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe, 00000001.00000002.527555148.0000000000F37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ__637456464647.exe
Source: RFQ__637456464647.exe	Binary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs RFQ__637456464647.exe

PE file contains strange resources

Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chrome.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: chrome.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: RFQ__637456464647.exe

ReversingLabs: Detection: 46%

Source: C:\Users\user\Desktop\RFQ__637456464647.exe

File read: C:\Users\user\Desktop\RFQ__637456464647.exe

Source: unknown	Process created: C:\Users\user\Desktop\RFQ__637456464647.exe "C:\Users\user\Desktop\RFQ__637456464647.exe"
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exe
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"	Jump to behavior

Source: chrome.exe.0.dr	Binary string: HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolumeverifier.dllKeyg_handles_to_closesbox_alternate_desktop_local_winstation_0x%X
Source: chrome.exe.0.dr	Binary string: CreateAppContainerProfileuserenvDeriveAppContainerSidFromAppContainerNameGetAppContainerRegistryLocationGetAppContainerFolderPath\\.\pipe\%ls\%ls@g_interceptionsntdll.dllg_originalsg_ntntdll.dllNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExkernel32.dll\Device\

Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RFQ__637456464647.exe.8f0000.13.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RFQ__637456464647.exe.8f0000.0.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RFQ__637456464647.exe.8f0000.11.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RFQ__637456464647.exe.8f0000.1.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: RFQ__637456464647.exe, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u000fu0005/u0095u0005.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: RFQ__637456464647.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: chrome.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: chrome.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: chrome.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: chrome.exe	String found in binary or memory: Try '%ls --help' for more information.

Source: RFQ__637456464647.exe, u0097/u0005u0002.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RFQ__637456464647.exe, u0097/u0005u0002.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: RFQ__637456464647.exe, u001a/u0094u0008.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u0097/u0005u0002.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u0097/u0005u0002.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u001a/u0094u0008.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u0097/u0005u0002.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u0097/u0005u0002.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u001a/u0094u0008.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: chrome.exe.0.dr	Static PE information: section name: .00cfg
Source: chrome.exe.0.dr	Static PE information: section name: .retplne
Source: chrome.exe.0.dr	Static PE information: section name: CPADinfo
Source: chrome.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B13980 SetUnhandledExceptionFilter,K32GetPerformanceInfo,K32GetProcessMemoryInfo,GetProcessHandleCount,	5_2_00007FF7A8B13980
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8A77D60 SetUnhandledExceptionFilter,SetConsoleCtrlHandler,_Init_thread_footer,SetProcessShutdownParameters,GetLastError,	5_2_00007FF7A8A77D60
Source: C:\Users\user\AppData\Local\Temp\chrome.exe	Code function: 5_2_00007FF7A8B9AFA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7A8B9AFA0

Source: RFQ__637456464647.exe, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 0.0.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 0.2.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 1.0.RFQ__637456464647.exe.8f0000.0.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 1.0.RFQ__637456464647.exe.8f0000.11.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, ufffdW?ufffd?/u061d????.cs	Reference to suspicious API methods: ('???Z?', 'MapVirtualKey@user32.dll')
Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, ?u0040???/ufffd?ufffd??.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
Source: 1.0.RFQ__637456464647.exe.8f0000.13.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
Source: 1.0.RFQ__637456464647.exe.8f0000.1.unpack, u000fu0005/u000eu0005.cs	Reference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Users\user\Desktop\RFQ__637456464647.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Users\user\Desktop\RFQ__637456464647.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ__637456464647.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\RFQ__637456464647.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Name	IP	Active
checkip.dyndns.com	132.226.8.169	true
checkip.dyndns.org	unknown	unknown

ID:	632544
Product:	CloudBasic
Start time:	18:58:49
Start date:	23.05.2022
Sample:	RFQ__637456464647.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b4bc907e8d48e8f09b4d9fdd8d416599
SHA1:	592a814a428c8a5de3f06245996fc775e8dc987f
SHA256:	7f7804a5460695dae61e378d733f0a613083e84c654ea6264a5276944b33f943
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ__63745646464_94dd9d68755d61cc97c9e42d0ec1b28c5989ec6_083b13b0_1b958159\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E56BC667B3B678430631F7CE3B8BBD4C	EA08F52BDD81A1D5BD03C34A20802621A13A5E8C	3C7F3BEF460243B93180F3CCBD3CBC10971A29097D21F53C4B57598568A8058C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7284.tmp.dmp	Mini DuMP crash report, 15 streams, Tue May 24 02:00:21 2022, 0x1205a4 type	7973C58C32915FBA6B5E4EEE9BF12854	8FBE6CBECD95C5CE84DC87F9A6399D06FD2BDBBC	0583DBAE1CBBF287351119BDE87703268E64DA8D430F9D3C33A9D99C185432B2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78ED.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	DB6D045DBC6C75AE674930E621C24D0C	EC5D9E89F492C938C6B45FD7948D6D7E630575C0	6763D58AA2DA5B1C0DB34B2CD54ABF3DEA1334933A99F235945CFDD3CD6B445A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A56.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	10BD2D57F1961B27D477C05A55D89E59	1ABFAD5821C4BC61962184488F33565531BB59F9	40DBD1A60D73AA328FAB8171384B79764B1A0F1A934FB1038CC0BE506F2CEB11
C:\Users\user\AppData\Local\Temp\chrome.exe	PE32+ executable (GUI) x86-64, for MS Windows	7F916511A313837EFCDE9E4112A64E5B	6A2A2427CF1D888CB40A18527478C84DEDF1DB61	F342AF2B1E3DD9BA90C10F643EC1F50459EFBB5912496E8AC553682C2B7A9F6E

Windows Analysis Report RFQ__637456464647.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
RFQ__637456464647.exe