Edit tour

Windows Analysis Report
RFQ pdf.exe

Overview

General Information

Sample Name:	RFQ pdf.exe
Analysis ID:	708249
MD5:	2186990b3fc8fb51de0d235276613505
SHA1:	5e8223137622466c1eca35271586dd6824fb5b1c
SHA256:	e2d1f7e5fe7da6323d2b8105d8aabfbcaf21603059a05c263e14cc079b371718
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Snort IDS alert for network traffic

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

RFQ pdf.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\RFQ pdf.exe" MD5: 2186990B3FC8FB51DE0D235276613505)

RFQ pdf.exe (PID: 3672 cmdline: C:\Users\user\Desktop\RFQ pdf.exe MD5: 2186990B3FC8FB51DE0D235276613505)

WerFault.exe (PID: 3096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1516 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "5149109129:AAGFSJSlChXwgqfifOahBX2gfNaVHTpF5Mk", "Telegram ID": "2014219704"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18584:$x1: $%SMTPDV$ 0x1724a:$x2: $#TheHashHere%& 0x1852c:$x3: %FTPDV$ 0x1722c:$x4: $%TelegramDv$ 0x14b41:$x5: KeyLoggerEventArgs 0x14ed7:$x5: KeyLoggerEventArgs 0x185b0:$m1: \| Snake Keylogger 0x18656:$m1: \| Snake Keylogger 0x187aa:$m1: \| Snake Keylogger 0x188d0:$m1: \| Snake Keylogger 0x18a2a:$m1: \| Snake Keylogger 0x18550:$m2: Clipboard Logs ID 0x18760:$m2: Screenshot Logs ID 0x18874:$m2: keystroke Logs ID 0x18a60:$m3: SnakePW 0x18738:$m4: \SnakeKeylogger\
00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13948:$a1: get_encryptedPassword 0x13c34:$a2: get_encryptedUsername 0x13754:$a3: get_timePasswordChanged 0x1384f:$a4: get_passwordField 0x1395e:$a5: set_encryptedPassword 0x14f74:$a7: get_logins 0x14ed7:$a10: KeyLoggerEventArgs 0x14b41:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3a19c:$x1: $%SMTPDV$ 0x14eb44:$x1: $%SMTPDV$ 0x16e164:$x1: $%SMTPDV$ 0x38e62:$x2: $#TheHashHere%& 0x14d80a:$x2: $#TheHashHere%& 0x16ce2a:$x2: $#TheHashHere%& 0x3a144:$x3: %FTPDV$ 0x14eaec:$x3: %FTPDV$ 0x16e10c:$x3: %FTPDV$ 0x38e44:$x4: $%TelegramDv$ 0x14d7ec:$x4: $%TelegramDv$ 0x16ce0c:$x4: $%TelegramDv$ 0x36759:$x5: KeyLoggerEventArgs 0x36aef:$x5: KeyLoggerEventArgs 0x14b101:$x5: KeyLoggerEventArgs 0x14b497:$x5: KeyLoggerEventArgs 0x16a721:$x5: KeyLoggerEventArgs 0x16aab7:$x5: KeyLoggerEventArgs 0x3a1c8:$m1: \| Snake Keylogger 0x3a26e:$m1: \| Snake Keylogger 0x3a3c2:$m1: \| Snake Keylogger
00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35560:$a1: get_encryptedPassword 0x149f08:$a1: get_encryptedPassword 0x169528:$a1: get_encryptedPassword 0x3584c:$a2: get_encryptedUsername 0x14a1f4:$a2: get_encryptedUsername 0x169814:$a2: get_encryptedUsername 0x3536c:$a3: get_timePasswordChanged 0x149d14:$a3: get_timePasswordChanged 0x169334:$a3: get_timePasswordChanged 0x35467:$a4: get_passwordField 0x149e0f:$a4: get_passwordField 0x16942f:$a4: get_passwordField 0x35576:$a5: set_encryptedPassword 0x149f1e:$a5: set_encryptedPassword 0x16953e:$a5: set_encryptedPassword 0x36b8c:$a7: get_logins 0x14b534:$a7: get_logins 0x16ab54:$a7: get_logins 0x36aef:$a10: KeyLoggerEventArgs 0x14b497:$a10: KeyLoggerEventArgs 0x16aab7:$a10: KeyLoggerEventArgs
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3868	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4dcef:$x5: KeyLoggerEventArgs 0x4e085:$x5: KeyLoggerEventArgs 0x4ea7d:$x5: KeyLoggerEventArgs 0x4edde:$x5: KeyLoggerEventArgs 0x50285:$m1: \| Snake Keylogger 0x502d4:$m1: \| Snake Keylogger 0x50368:$m1: \| Snake Keylogger 0x503c9:$m1: \| Snake Keylogger 0x5043e:$m1: \| Snake Keylogger 0x50254:$m2: Clipboard Logs ID 0x50343:$m2: Screenshot Logs ID 0x5039b:$m2: keystroke Logs ID 0x50459:$m3: SnakePW 0x5032f:$m4: \SnakeKeylogger\
Process Memory Space: RFQ pdf.exe PID: 3868	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4bdc5:$a1: get_encryptedPassword 0x4c0a7:$a2: get_encryptedUsername 0x4bbdb:$a3: get_timePasswordChanged 0x4bcd6:$a4: get_passwordField 0x4bddb:$a5: set_encryptedPassword 0x4e122:$a7: get_logins 0x4e085:$a10: KeyLoggerEventArgs 0x4dcef:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RFQ pdf.exe PID: 3672	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3672	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ pdf.exe PID: 3672	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4fd4:$x5: KeyLoggerEventArgs 0x536a:$x5: KeyLoggerEventArgs 0x5d62:$x5: KeyLoggerEventArgs 0x60c3:$x5: KeyLoggerEventArgs 0x756a:$m1: \| Snake Keylogger 0x75b9:$m1: \| Snake Keylogger 0x764d:$m1: \| Snake Keylogger 0x76ae:$m1: \| Snake Keylogger 0x7723:$m1: \| Snake Keylogger 0x7539:$m2: Clipboard Logs ID 0x7628:$m2: Screenshot Logs ID 0x7680:$m2: keystroke Logs ID 0x773e:$m3: SnakePW 0x7614:$m4: \SnakeKeylogger\
Process Memory Space: RFQ pdf.exe PID: 3672	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30aa:$a1: get_encryptedPassword 0x338c:$a2: get_encryptedUsername 0x2ec0:$a3: get_timePasswordChanged 0x2fbb:$a4: get_passwordField 0x30c0:$a5: set_encryptedPassword 0x5407:$a7: get_logins 0x536a:$a10: KeyLoggerEventArgs 0x4fd4:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.RFQ pdf.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b084:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a26d:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a6b4:$a4: \Orbitum\User Data\Default\Login Data 0x1b835:$a5: \Kometa\User Data\Default\Login Data
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.RFQ pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x146d1:$s1: UnHook 0x146d8:$s2: SetHook 0x146e0:$s3: CallNextHook 0x146ed:$s4: _hook
2.0.RFQ pdf.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18784:$x1: $%SMTPDV$ 0x1744a:$x2: $#TheHashHere%& 0x1872c:$x3: %FTPDV$ 0x1742c:$x4: $%TelegramDv$ 0x14d41:$x5: KeyLoggerEventArgs 0x150d7:$x5: KeyLoggerEventArgs 0x187b0:$m1: \| Snake Keylogger 0x18856:$m1: \| Snake Keylogger 0x189aa:$m1: \| Snake Keylogger 0x18ad0:$m1: \| Snake Keylogger 0x18c2a:$m1: \| Snake Keylogger 0x18750:$m2: Clipboard Logs ID 0x18960:$m2: Screenshot Logs ID 0x18a74:$m2: keystroke Logs ID 0x18c60:$m3: SnakePW 0x18938:$m4: \SnakeKeylogger\
2.0.RFQ pdf.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13b48:$a1: get_encryptedPassword 0x13e34:$a2: get_encryptedUsername 0x13954:$a3: get_timePasswordChanged 0x13a4f:$a4: get_passwordField 0x13b5e:$a5: set_encryptedPassword 0x15174:$a7: get_logins 0x150d7:$a10: KeyLoggerEventArgs 0x14d41:$a11: KeyLoggerEventArgsEventHandler
0.2.RFQ pdf.exe.3af6a18.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19284:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1846d:$a3: \Google\Chrome\User Data\Default\Login Data 0x188b4:$a4: \Orbitum\User Data\Default\Login Data 0x19a35:$a5: \Kometa\User Data\Default\Login Data
0.2.RFQ pdf.exe.3af6a18.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x128d1:$s1: UnHook 0x128d8:$s2: SetHook 0x128e0:$s3: CallNextHook 0x128ed:$s4: _hook
0.2.RFQ pdf.exe.3af6a18.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16984:$x1: $%SMTPDV$ 0x1564a:$x2: $#TheHashHere%& 0x1692c:$x3: %FTPDV$ 0x1562c:$x4: $%TelegramDv$ 0x12f41:$x5: KeyLoggerEventArgs 0x132d7:$x5: KeyLoggerEventArgs 0x169b0:$m1: \| Snake Keylogger 0x16a56:$m1: \| Snake Keylogger 0x16baa:$m1: \| Snake Keylogger 0x16cd0:$m1: \| Snake Keylogger 0x16e2a:$m1: \| Snake Keylogger 0x16950:$m2: Clipboard Logs ID 0x16b60:$m2: Screenshot Logs ID 0x16c74:$m2: keystroke Logs ID 0x16e60:$m3: SnakePW 0x16b38:$m4: \SnakeKeylogger\
0.2.RFQ pdf.exe.3af6a18.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11d48:$a1: get_encryptedPassword 0x12034:$a2: get_encryptedUsername 0x11b54:$a3: get_timePasswordChanged 0x11c4f:$a4: get_passwordField 0x11d5e:$a5: set_encryptedPassword 0x13374:$a7: get_logins 0x132d7:$a10: KeyLoggerEventArgs 0x12f41:$a11: KeyLoggerEventArgsEventHandler
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x946a4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xb3cc4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x9388d:$a3: \Google\Chrome\User Data\Default\Login Data 0xb2ead:$a3: \Google\Chrome\User Data\Default\Login Data 0x93cd4:$a4: \Orbitum\User Data\Default\Login Data 0xb32f4:$a4: \Orbitum\User Data\Default\Login Data 0x94e55:$a5: \Kometa\User Data\Default\Login Data 0xb4475:$a5: \Kometa\User Data\Default\Login Data
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x8dcf1:$s1: UnHook 0xad311:$s1: UnHook 0x8dcf8:$s2: SetHook 0xad318:$s2: SetHook 0x8dd00:$s3: CallNextHook 0xad320:$s3: CallNextHook 0x8dd0d:$s4: _hook 0xad32d:$s4: _hook
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x91da4:$x1: $%SMTPDV$ 0xb13c4:$x1: $%SMTPDV$ 0x90a6a:$x2: $#TheHashHere%& 0xb008a:$x2: $#TheHashHere%& 0x91d4c:$x3: %FTPDV$ 0xb136c:$x3: %FTPDV$ 0x90a4c:$x4: $%TelegramDv$ 0xb006c:$x4: $%TelegramDv$ 0x8e361:$x5: KeyLoggerEventArgs 0x8e6f7:$x5: KeyLoggerEventArgs 0xad981:$x5: KeyLoggerEventArgs 0xadd17:$x5: KeyLoggerEventArgs 0x91dd0:$m1: \| Snake Keylogger 0x91e76:$m1: \| Snake Keylogger 0x91fca:$m1: \| Snake Keylogger 0x920f0:$m1: \| Snake Keylogger 0x9224a:$m1: \| Snake Keylogger 0xb13f0:$m1: \| Snake Keylogger 0xb1496:$m1: \| Snake Keylogger 0xb15ea:$m1: \| Snake Keylogger 0xb1710:$m1: \| Snake Keylogger
0.2.RFQ pdf.exe.3b91da0.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8d168:$a1: get_encryptedPassword 0xac788:$a1: get_encryptedPassword 0x8d454:$a2: get_encryptedUsername 0xaca74:$a2: get_encryptedUsername 0x8cf74:$a3: get_timePasswordChanged 0xac594:$a3: get_timePasswordChanged 0x8d06f:$a4: get_passwordField 0xac68f:$a4: get_passwordField 0x8d17e:$a5: set_encryptedPassword 0xac79e:$a5: set_encryptedPassword 0x8e794:$a7: get_logins 0xaddb4:$a7: get_logins 0x8e6f7:$a10: KeyLoggerEventArgs 0xadd17:$a10: KeyLoggerEventArgs 0x8e361:$a11: KeyLoggerEventArgsEventHandler 0xad981:$a11: KeyLoggerEventArgsEventHandler
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x146d1:$s1: UnHook 0x129079:$s1: UnHook 0x148699:$s1: UnHook 0x146d8:$s2: SetHook 0x129080:$s2: SetHook 0x1486a0:$s2: SetHook 0x146e0:$s3: CallNextHook 0x129088:$s3: CallNextHook 0x1486a8:$s3: CallNextHook 0x146ed:$s4: _hook 0x129095:$s4: _hook 0x1486b5:$s4: _hook
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18784:$x1: $%SMTPDV$ 0x12d12c:$x1: $%SMTPDV$ 0x14c74c:$x1: $%SMTPDV$ 0x1744a:$x2: $#TheHashHere%& 0x12bdf2:$x2: $#TheHashHere%& 0x14b412:$x2: $#TheHashHere%& 0x1872c:$x3: %FTPDV$ 0x12d0d4:$x3: %FTPDV$ 0x14c6f4:$x3: %FTPDV$ 0x1742c:$x4: $%TelegramDv$ 0x12bdd4:$x4: $%TelegramDv$ 0x14b3f4:$x4: $%TelegramDv$ 0x14d41:$x5: KeyLoggerEventArgs 0x150d7:$x5: KeyLoggerEventArgs 0x1296e9:$x5: KeyLoggerEventArgs 0x129a7f:$x5: KeyLoggerEventArgs 0x148d09:$x5: KeyLoggerEventArgs 0x14909f:$x5: KeyLoggerEventArgs 0x187b0:$m1: \| Snake Keylogger 0x18856:$m1: \| Snake Keylogger 0x189aa:$m1: \| Snake Keylogger
0.2.RFQ pdf.exe.3af6a18.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13b48:$a1: get_encryptedPassword 0x1284f0:$a1: get_encryptedPassword 0x147b10:$a1: get_encryptedPassword 0x13e34:$a2: get_encryptedUsername 0x1287dc:$a2: get_encryptedUsername 0x147dfc:$a2: get_encryptedUsername 0x13954:$a3: get_timePasswordChanged 0x1282fc:$a3: get_timePasswordChanged 0x14791c:$a3: get_timePasswordChanged 0x13a4f:$a4: get_passwordField 0x1283f7:$a4: get_passwordField 0x147a17:$a4: get_passwordField 0x13b5e:$a5: set_encryptedPassword 0x128506:$a5: set_encryptedPassword 0x147b26:$a5: set_encryptedPassword 0x15174:$a7: get_logins 0x129b1c:$a7: get_logins 0x14913c:$a7: get_logins 0x150d7:$a10: KeyLoggerEventArgs 0x129a7f:$a10: KeyLoggerEventArgs 0x14909f:$a10: KeyLoggerEventArgs
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x35cf1:$s1: UnHook 0x14a699:$s1: UnHook 0x169cb9:$s1: UnHook 0x35cf8:$s2: SetHook 0x14a6a0:$s2: SetHook 0x169cc0:$s2: SetHook 0x35d00:$s3: CallNextHook 0x14a6a8:$s3: CallNextHook 0x169cc8:$s3: CallNextHook 0x35d0d:$s4: _hook 0x14a6b5:$s4: _hook 0x169cd5:$s4: _hook
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x39da4:$x1: $%SMTPDV$ 0x14e74c:$x1: $%SMTPDV$ 0x16dd6c:$x1: $%SMTPDV$ 0x38a6a:$x2: $#TheHashHere%& 0x14d412:$x2: $#TheHashHere%& 0x16ca32:$x2: $#TheHashHere%& 0x39d4c:$x3: %FTPDV$ 0x14e6f4:$x3: %FTPDV$ 0x16dd14:$x3: %FTPDV$ 0x38a4c:$x4: $%TelegramDv$ 0x14d3f4:$x4: $%TelegramDv$ 0x16ca14:$x4: $%TelegramDv$ 0x36361:$x5: KeyLoggerEventArgs 0x366f7:$x5: KeyLoggerEventArgs 0x14ad09:$x5: KeyLoggerEventArgs 0x14b09f:$x5: KeyLoggerEventArgs 0x16a329:$x5: KeyLoggerEventArgs 0x16a6bf:$x5: KeyLoggerEventArgs 0x39dd0:$m1: \| Snake Keylogger 0x39e76:$m1: \| Snake Keylogger 0x39fca:$m1: \| Snake Keylogger
0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35168:$a1: get_encryptedPassword 0x149b10:$a1: get_encryptedPassword 0x169130:$a1: get_encryptedPassword 0x35454:$a2: get_encryptedUsername 0x149dfc:$a2: get_encryptedUsername 0x16941c:$a2: get_encryptedUsername 0x34f74:$a3: get_timePasswordChanged 0x14991c:$a3: get_timePasswordChanged 0x168f3c:$a3: get_timePasswordChanged 0x3506f:$a4: get_passwordField 0x149a17:$a4: get_passwordField 0x169037:$a4: get_passwordField 0x3517e:$a5: set_encryptedPassword 0x149b26:$a5: set_encryptedPassword 0x169146:$a5: set_encryptedPassword 0x36794:$a7: get_logins 0x14b13c:$a7: get_logins 0x16a75c:$a7: get_logins 0x366f7:$a10: KeyLoggerEventArgs 0x14b09f:$a10: KeyLoggerEventArgs 0x16a6bf:$a10: KeyLoggerEventArgs
Click to see the 32 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.6 - Destination IP: 193.122.6.168

Timestamp:	192.168.2.6193.122.6.16849721802842536 09/23/22-08:12:30.599509
SID:	2842536
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RFQ pdf.exe	Virustotal: Detection: 40%			Perma Link
Source: RFQ pdf.exe	ReversingLabs: Detection: 20%

Machine Learning detection for sample

Source: RFQ pdf.exe

Joe Sandbox ML: detected

Source: 2.0.RFQ pdf.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Source: 2.0.RFQ pdf.exe.400000.0.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "5149109129:AAGFSJSlChXwgqfifOahBX2gfNaVHTpF5Mk", "Telegram ID": "2014219704"}

Source: RFQ pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: C:\Users\user\Desktop\RFQ pdf.PDB source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RFQ pdf.PDB05 source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdbj source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: (Pij0C:\Windows\mscorlib.pdb source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.pdb% source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: MC:\Users\user\Desktop\RFQ pdf.PDB@ source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7306.tmp.dmp.13.dr

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.6:49721 -> 193.122.6.168:80

May check the online IP address of the machine

Source: C:\Users\user\Desktop\RFQ pdf.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ pdf.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ pdf.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ pdf.exe	DNS query: name: checkip.dyndns.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

Source: Joe Sandbox View

IP Address: 193.122.6.168 193.122.6.168

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: RFQ pdf.exe, 00000002.00000000.296286193.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, RFQ pdf.exe, 00000002.00000000.296286193.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ pdf.exe, 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, RFQ pdf.exe, 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org4
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RFQ pdf.exe, 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, RFQ pdf.exe, 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: RFQ pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\RFQ pdf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1516

Source: C:\Users\user\Desktop\RFQ pdf.exe	Code function: 0_2_00E6C174
Source: C:\Users\user\Desktop\RFQ pdf.exe	Code function: 0_2_00E6E76A
Source: C:\Users\user\Desktop\RFQ pdf.exe	Code function: 0_2_00E6E778

Source: RFQ pdf.exe, 00000000.00000002.289241472.0000000008190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.283489819.00000000038F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.282566547.00000000029AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.282536796.00000000029A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.282064235.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.289118066.0000000008120000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000000.237367976.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDcCI.exeF vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000000.00000002.289308515.0000000008330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs RFQ pdf.exe
Source: RFQ pdf.exe, 00000002.00000000.277130065.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ pdf.exe
Source: RFQ pdf.exe	Binary or memory string: OriginalFilenameDcCI.exeF vs RFQ pdf.exe

Source: RFQ pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RFQ pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RFQ pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ pdf.exe	Virustotal: Detection: 40%
Source: RFQ pdf.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\RFQ pdf.exe

File read: C:\Users\user\Desktop\RFQ pdf.exe

Jump to behavior

Source: RFQ pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\RFQ pdf.exe "C:\Users\user\Desktop\RFQ pdf.exe"
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process created: C:\Users\user\Desktop\RFQ pdf.exe C:\Users\user\Desktop\RFQ pdf.exe
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1516
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process created: C:\Users\user\Desktop\RFQ pdf.exe C:\Users\user\Desktop\RFQ pdf.exe

Source: C:\Users\user\Desktop\RFQ pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\RFQ pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ pdf.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7306.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/5@2/1

Source: RFQ pdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\RFQ pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\RFQ pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3672

Source: 2.0.RFQ pdf.exe.400000.0.unpack, ?ufffd?Om/?????.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.0.RFQ pdf.exe.400000.0.unpack, ufffd???ufffd/u2964ufffd?ufffd?.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\RFQ pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\RFQ pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: RFQ pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RFQ pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: C:\Users\user\Desktop\RFQ pdf.PDB source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RFQ pdf.PDB05 source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdbj source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: (Pij0C:\Windows\mscorlib.pdb source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.pdb% source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: MC:\Users\user\Desktop\RFQ pdf.PDB@ source: RFQ pdf.exe, 00000002.00000000.294251297.0000000000977000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7306.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7306.tmp.dmp.13.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: RFQ pdf.exe, order_management_system.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.RFQ pdf.exe.4f0000.0.unpack, order_management_system.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: RFQ pdf.exe

Static PE information: 0xD08A45BE [Wed Nov 13 11:25:50 2080 UTC]

Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME VIDEOBIOSVERSION

Source: C:\Users\user\Desktop\RFQ pdf.exe TID: 3808	Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\Desktop\RFQ pdf.exe TID: 2044	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\RFQ pdf.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\RFQ pdf.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\RFQ pdf.exe	Thread delayed: delay time: 41226
Source: C:\Users\user\Desktop\RFQ pdf.exe	Thread delayed: delay time: 922337203685477

Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUTSOFTWARE\Oracle\VirtualBox Guest Additions
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NSYSTEM\ControlSet001\Services\Disk\Enum
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RFQ pdf.exe, 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings$Device DescriptionDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\RFQ pdf.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ pdf.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\RFQ pdf.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\RFQ pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.0.RFQ pdf.exe.400000.0.unpack, ufffd???ufffd/u2964ufffd?ufffd?.cs	Reference to suspicious API methods: ('?K?U?', 'MapVirtualKey@user32.dll')
Source: 2.0.RFQ pdf.exe.400000.0.unpack, m??ufffd?/A???ufffd.cs	Reference to suspicious API methods: ('?K???', 'LoadLibrary@kernel32.dll'), ('?C???', 'GetProcAddress@kernel32')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQ pdf.exe

Memory written: C:\Users\user\Desktop\RFQ pdf.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\RFQ pdf.exe

Process created: C:\Users\user\Desktop\RFQ pdf.exe C:\Users\user\Desktop\RFQ pdf.exe

Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Users\user\Desktop\RFQ pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Users\user\Desktop\RFQ pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\RFQ pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR

Source: Yara match	File source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.0.RFQ pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3b91da0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3af6a18.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ pdf.exe.3ad53f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ pdf.exe PID: 3672, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	111 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ pdf.exe	40%	Virustotal		Browse
RFQ pdf.exe	21%	ReversingLabs	ByteCode-MSIL.Spyware.SnakeLogger
RFQ pdf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.0.RFQ pdf.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://checkip.dyndns.org4	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.dyndns.com	193.122.6.168	true	true		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	RFQ pdf.exe, 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, RFQ pdf.exe, 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, RFQ pdf.exe, 00000002.00000000.296286193.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org4	RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	RFQ pdf.exe, 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, RFQ pdf.exe, 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RFQ pdf.exe, 00000002.00000000.296286193.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ pdf.exe, 00000002.00000000.295643828.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	RFQ pdf.exe, 00000000.00000002.287208764.0000000006952000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	708249
Start date and time:	2022-09-23 08:11:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RFQ pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/5@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 80.67.82.235, 80.67.82.211, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:12:19	API Interceptor	1x Sleep call for process: RFQ pdf.exe modified
08:12:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ pdf.exe_5ece828fd8a15294e4f5abc1119a13c828c91fd_89bec156_0c768749\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0866289988917461
Encrypted:	false
SSDEEP:	192:eSYsR3iHHBUZMXyaPbqwiPZ/u7s5S274ItG:eBsR38BUZMXyaIPZ/u7s5X4ItG
MD5:	DCB523DDFDAAF1E34C7DAE8745AD4CEF
SHA1:	2482DE233400A04C84F6FE9CD8058A7447D4383E
SHA-256:	7A294EEF8ED96FA33B5C8AC6EA2A79372104F7227DE4DFC4D2CB0FA05C717EF9
SHA-512:	51421FF075BE4E26BBAF196DCDF5F7632A491D514E3B4E8CC7DB8D938AA5FE423D7AF269E9C6E7E51E802763069ABD0395A566AF929A1066FD2CAB80BB41D41B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.8.4.1.9.5.5.6.0.7.8.3.5.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.8.4.1.9.5.5.8.2.6.5.8.7.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.e.7.8.1.4.4.-.0.c.1.3.-.4.d.4.9.-.9.d.d.5.-.6.d.e.7.c.b.8.d.5.f.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.d.5.6.9.b.3.-.3.4.b.0.-.4.8.e.3.-.9.5.f.5.-.0.e.f.f.c.0.1.8.1.4.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.F.Q. .p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.c.C.I...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.5.8.-.0.0.0.1.-.0.0.1.a.-.2.9.f.3.-.9.3.e.2.5.e.c.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.2.c.e.b.a.b.6.2.9.b.5.d.3.2.d.6.b.8.a.f.1.c.9.c.e.e.2.2.6.7.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.8.2.2.3.1.3.7.6.2.2.4.6.6.c.1.e.c.a.3.5.2.7.1.5.8.6.d.d.6.8.2.4.f.b.5.b.1.c.!.R.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7306.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Sep 23 15:12:36 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	273803
Entropy (8bit):	3.6283798461942802
Encrypted:	false
SSDEEP:	3072:uhXgpnyqXO9gIOgF5nk0gUCgU2v1Aqo2Jf70xjd+pf:zi9RpDkTTjyjZ702p
MD5:	E96E4B955D9023B01A66B4C014A59590
SHA1:	81218EE2DF1FCCB1A176F7152E08127528AD5428
SHA-256:	11C0AC3091446CDDCCD98E8782DF5A284D58A63D6C9C4632581AD1B3E3441D36
SHA-512:	D540F21E04B987F2C664A1C2B98B80150C24F3158CF55C286C6C59BEEAF558CBBA3D9460215D39482B06D0EE372B7D16E30A90085D905CA8A6ED9CBC717801DC
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........-c............t.......................T...H#.......%...T..........`.......8...........T............;...............#...........%...................................................................U...........B...... &......GenuineIntelW...........T.......X.....-c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7912.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	3.7301307714363436
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi+E6bYT4x8SfZwCprb89bL7sfnZm:RrlsNiV6bYT42SCLAfU
MD5:	1402313EDD5D0D3A0CA4E4819DDF4FFE
SHA1:	6B9EDF6C565CACBE581498B24ED76CE1A4F745C4
SHA-256:	894AEC4730BF9D1502FEC888ADB7187E7DBE139FAD2B6484594AB05A42EBEC87
SHA-512:	2AE24A3E9DA21309E5BE557753568F37181DE773175C38F8B559BF78ED10E16642B7F61A3AED0D0B913937658B20FB31823380AB55871FBA37C46873AD4321AE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A6A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4617
Entropy (8bit):	4.4743660937111285
Encrypted:	false
SSDEEP:	48:cvIwSD8zsYJgtWI9nuzcWgc8sqYjN8fm8M4JfIZjFe+q8+UJOTOuYuVd:uITfexZgrsqYuJ3AIb1Vd
MD5:	8B2DB920BDFC019682B9D75E53A43275
SHA1:	9DAD2FD831A1455CB2B1B21BCA7B6828823F57E3
SHA-256:	B3D95A3DE4A274724730A642CC65FAC9E92B4E9CB4C68FFB5C75AB5D87B0C541
SHA-512:	5A351605674D359EEFB5A815B030E02D6C623C3CAD3B5A153658F2F3F834F94F906C7AEF94A5EC2F192C4D869C48CBBD88EBD04F01B448E6BD25F201758EAAE3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1704983" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\RFQ pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.738270658804957
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	RFQ pdf.exe
File size:	800768
MD5:	2186990b3fc8fb51de0d235276613505
SHA1:	5e8223137622466c1eca35271586dd6824fb5b1c
SHA256:	e2d1f7e5fe7da6323d2b8105d8aabfbcaf21603059a05c263e14cc079b371718
SHA512:	286be9e8f8d181db4a032f97a8973a482fbbe6a57248a7d9bea616b22c9610a47ab5c084ca38da387a354419da81edca909fcab8e1ab0a99a4654ba148ba7146
SSDEEP:	12288:Uw1SnEwn5B2aUNLTo9XUxIcZg47GV8Z9U:6nEwnr2JLT4X+yyGmZ
TLSH:	6005CF22A7EA0F07C01267B894D1C2B157AAEF55903EC2476EEA7C9FB0767D18251F13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E................0......d......&.... ........@.. ....................................@................................

File Icon


Icon Hash:	f99a99d898a999f8

Static PE Info

General

Entrypoint:	0x4bf126
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD08A45BE [Wed Nov 13 11:25:50 2080 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbf0d4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x6164	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbf0b8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbd12c	0xbd200	False	0.6633434711665566	data	6.764992841750805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x6164	0x6200	False	0.45703125	data	5.751957149803205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc0238	0x2e8	data
RT_ICON	0xc0520	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0xc0648	0xea8	data
RT_ICON	0xc14f0	0x8a8	data
RT_ICON	0xc1d98	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xc2300	0x25a8	data
RT_ICON	0xc48a8	0x10a8	data
RT_ICON	0xc5950	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xc5db8	0x76	data
RT_VERSION	0xc5e30	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6193.122.6.16849721802842536 09/23/22-08:12:30.599509	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49721	80	192.168.2.6	193.122.6.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:12:27.571508884 CEST	49721	80	192.168.2.6	193.122.6.168
Sep 23, 2022 08:12:30.580404997 CEST	49721	80	192.168.2.6	193.122.6.168
Sep 23, 2022 08:12:30.598292112 CEST	80	49721	193.122.6.168	192.168.2.6
Sep 23, 2022 08:12:30.598417997 CEST	49721	80	192.168.2.6	193.122.6.168
Sep 23, 2022 08:12:30.599509001 CEST	49721	80	192.168.2.6	193.122.6.168
Sep 23, 2022 08:12:30.617305040 CEST	80	49721	193.122.6.168	192.168.2.6
Sep 23, 2022 08:12:32.617840052 CEST	80	49721	193.122.6.168	192.168.2.6
Sep 23, 2022 08:12:32.682867050 CEST	49721	80	192.168.2.6	193.122.6.168
Sep 23, 2022 08:12:42.508495092 CEST	49721	80	192.168.2.6	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:12:27.483222961 CEST	59082	53	192.168.2.6	8.8.8.8
Sep 23, 2022 08:12:27.502829075 CEST	53	59082	8.8.8.8	192.168.2.6
Sep 23, 2022 08:12:27.515578985 CEST	59504	53	192.168.2.6	8.8.8.8
Sep 23, 2022 08:12:27.532990932 CEST	53	59504	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 23, 2022 08:12:27.483222961 CEST	192.168.2.6	8.8.8.8	0x7878	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.515578985 CEST	192.168.2.6	8.8.8.8	0xd83a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 23, 2022 08:12:27.502829075 CEST	8.8.8.8	192.168.2.6	0x7878	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2022 08:12:27.502829075 CEST	8.8.8.8	192.168.2.6	0x7878	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.502829075 CEST	8.8.8.8	192.168.2.6	0x7878	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.502829075 CEST	8.8.8.8	192.168.2.6	0x7878	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.502829075 CEST	8.8.8.8	192.168.2.6	0x7878	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.502829075 CEST	8.8.8.8	192.168.2.6	0x7878	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.532990932 CEST	8.8.8.8	192.168.2.6	0xd83a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 23, 2022 08:12:27.532990932 CEST	8.8.8.8	192.168.2.6	0xd83a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.532990932 CEST	8.8.8.8	192.168.2.6	0xd83a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.532990932 CEST	8.8.8.8	192.168.2.6	0xd83a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.532990932 CEST	8.8.8.8	192.168.2.6	0xd83a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:12:27.532990932 CEST	8.8.8.8	192.168.2.6	0xd83a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49721	193.122.6.168	80	C:\Users\user\Desktop\RFQ pdf.exe

Timestamp	kBytes transferred	Direction	Data
Sep 23, 2022 08:12:30.599509001 CEST	453	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 23, 2022 08:12:32.617840052 CEST	453	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 23 Sep 2022 06:12:32 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	08:12:06
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\RFQ pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ pdf.exe"
Imagebase:	0x4f0000
File size:	800768 bytes
MD5 hash:	2186990B3FC8FB51DE0D235276613505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.282302542.000000000293F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.285058685.0000000003AD5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: RFQ pdf.exePID: 3672, Parent PID: 3868

General

Target ID:	2
Start time:	08:12:24
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\RFQ pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\RFQ pdf.exe
Imagebase:	0x520000
File size:	800768 bytes
MD5 hash:	2186990B3FC8FB51DE0D235276613505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000000.276779694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: WerFault.exePID: 3096, Parent PID: 3672

General

Target ID:	13
Start time:	08:12:35
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1516
Imagebase:	0x160000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ pdf.exe_5ece828fd8a15294e4f5abc1119a13c828c91fd_89bec156_0c768749\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7306.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7912.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A6A.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ pdf.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
RFQ pdf.exe