Windows Analysis Report
RFQ.exe

Overview

General Information

Sample Name: RFQ.exe
Analysis ID: 715063
MD5: aad07a56490f6741c3921858f3043e79
SHA1: a94598c7fc15b6c5acc91f1436dba83997e11e28
SHA256: 3e2d304ef3b13cf0e4ce178d8b04878537871fe4957a579da336daee46cdeeef
Tags: exe
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: RFQ.exe ReversingLabs: Detection: 33%
Source: RFQ.exe Virustotal: Detection: 35% Perma Link
Source: RFQ.exe Joe Sandbox ML: detected
Source: 1.0.RFQ.exe.400000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 1.0.RFQ.exe.400000.0.unpack Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mariel.lalu@jeteix.com", "Password": "qlRYaFn8 ", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
Source: RFQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RFQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F6467h 1_2_018F61A9
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FE499h 1_2_018FE1E1
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F75E7h 1_2_018F7328
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FF5F9h 1_2_018FF341
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FFA51h 1_2_018FF798
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FDBEAh 1_2_018FD6BA
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F68C7h 1_2_018F6608
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FE8F1h 1_2_018FE638
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F4C21h 1_2_018F4960
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FED49h 1_2_018FEA92
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F6D27h 1_2_018F6A69
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FE041h 1_2_018FDD87
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F534Ah 1_2_018F4F30
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F7187h 1_2_018F6EC9
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018FF1A1h 1_2_018FEEE8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F534Ah 1_2_018F5277
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 018F534Ah 1_2_018F4F20
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 1_2_018F3E80
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699E161h 1_2_0699DEB8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06998149h 1_2_06997EA0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06995181h 1_2_06994ED8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 069948D1h 1_2_06994628
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699EA39h 1_2_0699E790
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06995A31h 1_2_06995788
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 069989F9h 1_2_06998750
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699F741h 1_2_0699F498
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06996739h 1_2_06996490
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06993771h 1_2_069934C8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06997899h 1_2_069975F0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06996FE9h 1_2_06996D40
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06994021h 1_2_06993D78
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06994D29h 1_2_06994A80
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 069985A1h 1_2_069982F8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06997CF1h 1_2_06997A48
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699EE91h 1_2_0699EBE8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06995E89h 1_2_06995BE0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699E5E1h 1_2_0699E338
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 069955D9h 1_2_06995330
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699FB99h 1_2_0699F8F0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06996B91h 1_2_069968E8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 069962E1h 1_2_06996038
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 0699F2E9h 1_2_0699F040
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06993319h 1_2_06993070
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06997441h 1_2_06997198
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06994479h 1_2_069941D0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then jmp 06993BC9h 1_2_06993920
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_0699C0D8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_0699C0CA

Networking

barindex
Source: Traffic Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49704 -> 132.226.8.169:80
Source: C:\Users\user\Desktop\RFQ.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ.exe DNS query: name: checkip.dyndns.org
Source: Yara match File source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
Source: Joe Sandbox View ASN Name: UTMEMUS UTMEMUS
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: RFQ.exe, 00000001.00000002.510261529.0000000003543000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RFQ.exe, 00000001.00000002.510207727.0000000003536000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510261529.0000000003543000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RFQ.exe, 00000001.00000002.509570774.00000000034A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RFQ.exe, 00000001.00000002.510207727.0000000003536000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org42k
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: RFQ.exe, 00000001.00000002.509570774.00000000034A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

barindex
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: RFQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\RFQ.exe Code function: 0_2_032FCA4C 0_2_032FCA4C
Source: C:\Users\user\Desktop\RFQ.exe Code function: 0_2_032FE9EA 0_2_032FE9EA
Source: C:\Users\user\Desktop\RFQ.exe Code function: 0_2_032FE9F0 0_2_032FE9F0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 0_2_032FB468 0_2_032FB468
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F61A9 1_2_018F61A9
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FE1E1 1_2_018FE1E1
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F7328 1_2_018F7328
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F9343 1_2_018F9343
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FF341 1_2_018FF341
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FF798 1_2_018FF798
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FD6BA 1_2_018FD6BA
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F6608 1_2_018F6608
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FE638 1_2_018FE638
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F59F8 1_2_018F59F8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F4960 1_2_018F4960
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FEA92 1_2_018FEA92
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F6A69 1_2_018F6A69
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FDD87 1_2_018FDD87
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F6EC9 1_2_018F6EC9
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FEEE8 1_2_018FEEE8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F59E8 1_2_018F59E8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FCF30 1_2_018FCF30
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018FCF40 1_2_018FCF40
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F3E80 1_2_018F3E80
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F3E70 1_2_018F3E70
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06970690 1_2_06970690
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06972610 1_2_06972610
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06970040 1_2_06970040
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06970CE0 1_2_06970CE0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06972C60 1_2_06972C60
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069732B0 1_2_069732B0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06971328 1_2_06971328
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06971FC0 1_2_06971FC0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069738F8 1_2_069738F8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06971970 1_2_06971970
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06970680 1_2_06970680
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06972601 1_2_06972601
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06970006 1_2_06970006
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06970CD1 1_2_06970CD1
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06972C50 1_2_06972C50
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069732A0 1_2_069732A0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06971319 1_2_06971319
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06971FB1 1_2_06971FB1
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069738E8 1_2_069738E8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06971961 1_2_06971961
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699DEB8 1_2_0699DEB8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06997EA0 1_2_06997EA0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06994ED8 1_2_06994ED8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06994628 1_2_06994628
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699E790 1_2_0699E790
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06995788 1_2_06995788
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06998750 1_2_06998750
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699F498 1_2_0699F498
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06996490 1_2_06996490
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069934C8 1_2_069934C8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699C450 1_2_0699C450
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069975F0 1_2_069975F0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06996D40 1_2_06996D40
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06993D78 1_2_06993D78
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06994A80 1_2_06994A80
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069982F8 1_2_069982F8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06997A48 1_2_06997A48
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06998BA8 1_2_06998BA8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699EBE8 1_2_0699EBE8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06995BE0 1_2_06995BE0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699E338 1_2_0699E338
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06995330 1_2_06995330
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699F8F0 1_2_0699F8F0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069968E8 1_2_069968E8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06996038 1_2_06996038
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699B828 1_2_0699B828
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06990040 1_2_06990040
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699F040 1_2_0699F040
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06993070 1_2_06993070
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06997198 1_2_06997198
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069941D0 1_2_069941D0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06993920 1_2_06993920
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699D150 1_2_0699D150
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06997E96 1_2_06997E96
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699DEA9 1_2_0699DEA9
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06994EC8 1_2_06994EC8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06994618 1_2_06994618
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699E781 1_2_0699E781
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06998740 1_2_06998740
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06995778 1_2_06995778
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699F488 1_2_0699F488
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069934B9 1_2_069934B9
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699647F 1_2_0699647F
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069975E0 1_2_069975E0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06996D38 1_2_06996D38
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06993D67 1_2_06993D67
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069982E8 1_2_069982E8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06997A37 1_2_06997A37
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06994A72 1_2_06994A72
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699EBD8 1_2_0699EBD8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06995BD0 1_2_06995BD0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699531F 1_2_0699531F
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699E328 1_2_0699E328
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699C0D8 1_2_0699C0D8
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069968D7 1_2_069968D7
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699C0CA 1_2_0699C0CA
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699F8E0 1_2_0699F8E0
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699B818 1_2_0699B818
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06990006 1_2_06990006
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699F030 1_2_0699F030
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06996029 1_2_06996029
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06993060 1_2_06993060
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06997188 1_2_06997188
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069941BF 1_2_069941BF
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_0699390F 1_2_0699390F
Source: RFQ.exe, 00000000.00000002.280928503.0000000004550000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.288186151.0000000007B50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.272272091.0000000003560000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
Source: RFQ.exe, 00000000.00000000.240378654.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVDnO.exeL vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.288331973.0000000007BA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.269573487.0000000003491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.269573487.0000000003491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.288379252.0000000007D40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMetal.dllJ vs RFQ.exe
Source: RFQ.exe, 00000001.00000000.265808349.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
Source: RFQ.exe, 00000001.00000002.506053802.00000000014F7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ.exe
Source: RFQ.exe Binary or memory string: OriginalFilenameVDnO.exeL vs RFQ.exe
Source: RFQ.exe ReversingLabs: Detection: 33%
Source: RFQ.exe Virustotal: Detection: 35%
Source: RFQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe
Source: C:\Users\user\Desktop\RFQ.exe Process created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe
Source: C:\Users\user\Desktop\RFQ.exe Process created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
Source: RFQ.exe, 00000001.00000002.510819015.000000000451C000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510363594.000000000355C000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510404547.0000000003568000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RFQ.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\RFQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 1.0.RFQ.exe.400000.0.unpack, ufffd?ufffd?z/ud834udd61ufffd??.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.0.RFQ.exe.400000.0.unpack, u06da??u005e?/???ufffd?.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\RFQ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: RFQ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: RFQ.exe, NetworkArithmeticGame/Form1.cs .Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.RFQ.exe.fe0000.0.unpack, NetworkArithmeticGame/Form1.cs .Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F1B69 push 8BFFFFFFh; retf 1_2_018F1B6F
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F2F60 push FFFFFF8Bh; iretd 1_2_018F2F62
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_06974198 push es; iretd 1_2_06975318
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_069750EB push es; iretd 1_2_06975318
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMENSYSTEM\CONTROLSET001\SERVICES\DISK\ENUM
Source: C:\Users\user\Desktop\RFQ.exe TID: 5136 Thread sleep time: -41226s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 5176 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Thread delayed: delay time: 41226 Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SAMPLEDSOFTWARE\VMware, Inc.\VMware Tools
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: RFQ.exe, 00000001.00000002.507107349.00000000016B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RFQ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Code function: 1_2_018F59F8 LdrInitializeThunk, 1_2_018F59F8
Source: C:\Users\user\Desktop\RFQ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 1.0.RFQ.exe.400000.0.unpack, u06da??u005e?/???ufffd?.cs Reference to suspicious API methods: ('??OZ&', 'MapVirtualKey@user32.dll')
Source: 1.0.RFQ.exe.400000.0.unpack, ???ufffdufffd/ufffdufffdufffdufffd?.cs Reference to suspicious API methods: ('?m???', 'LoadLibrary@kernel32.dll'), ('????;', 'GetProcAddress@kernel32')
Source: C:\Users\user\Desktop\RFQ.exe Memory written: C:\Users\user\Desktop\RFQ.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Process created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
Source: Yara match File source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
Source: C:\Users\user\Desktop\RFQ.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: Yara match File source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
Source: Yara match File source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs