Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ 306 & 307.exe

Overview

General Information

Sample name:RFQ 306 & 307.exe
Analysis ID:1640566
MD5:98f5e0e1ea843b54bb5d5b71a916b130
SHA1:60a5239cb8f370c3e34e87872fc82c66fe6b893e
SHA256:2d3083544d87f65cb65db78b9050d6dbf69412f94c49ee82cf59dd889f19ece8
Tags:exeuser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ 306 & 307.exe (PID: 716 cmdline: "C:\Users\user\Desktop\RFQ 306 & 307.exe" MD5: 98F5E0E1EA843B54BB5D5B71A916B130)
    • RFQ 306 & 307.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\RFQ 306 & 307.exe" MD5: 98F5E0E1EA843B54BB5D5B71A916B130)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM/sendMessage?chat_id=5521168189", "Token": "8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM", "Chat_id": "5521168189", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x1492f:$a1: get_encryptedPassword
      • 0x14c1b:$a2: get_encryptedUsername
      • 0x1473b:$a3: get_timePasswordChanged
      • 0x14836:$a4: get_passwordField
      • 0x14945:$a5: set_encryptedPassword
      • 0x15f76:$a7: get_logins
      • 0x15ed9:$a10: KeyLoggerEventArgs
      • 0x15b44:$a11: KeyLoggerEventArgsEventHandler
      00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x19898:$x1: $%SMTPDV$
      • 0x1827c:$x2: $#TheHashHere%&
      • 0x19840:$x3: %FTPDV$
      • 0x1821c:$x4: $%TelegramDv$
      • 0x15b44:$x5: KeyLoggerEventArgs
      • 0x15ed9:$x5: KeyLoggerEventArgs
      • 0x19864:$m2: Clipboard Logs ID
      • 0x19aa2:$m2: Screenshot Logs ID
      • 0x19bb2:$m2: keystroke Logs ID
      • 0x19e8c:$m3: SnakePW
      • 0x19a7a:$m4: \SnakeKeylogger\
      00000001.00000002.3420124355.0000000002A4D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.RFQ 306 & 307.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          1.2.RFQ 306 & 307.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            1.2.RFQ 306 & 307.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x14b2f:$a1: get_encryptedPassword
            • 0x14e1b:$a2: get_encryptedUsername
            • 0x1493b:$a3: get_timePasswordChanged
            • 0x14a36:$a4: get_passwordField
            • 0x14b45:$a5: set_encryptedPassword
            • 0x16176:$a7: get_logins
            • 0x160d9:$a10: KeyLoggerEventArgs
            • 0x15d44:$a11: KeyLoggerEventArgsEventHandler
            1.2.RFQ 306 & 307.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1c44e:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1b680:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x1bab3:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1caf2:$a5: \Kometa\User Data\Default\Login Data
            1.2.RFQ 306 & 307.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x156f3:$s1: UnHook
            • 0x156fa:$s2: SetHook
            • 0x15702:$s3: CallNextHook
            • 0x1570f:$s4: _hook
            Click to see the 23 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T13:03:39.350304+010028033053Unknown Traffic192.168.2.949685104.21.48.1443TCP
            2025-03-17T13:03:44.262150+010028033053Unknown Traffic192.168.2.949693104.21.48.1443TCP
            2025-03-17T13:03:45.454973+010028033053Unknown Traffic192.168.2.949695104.21.48.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-17T13:03:37.476831+010028032742Potentially Bad Traffic192.168.2.949683158.101.44.24280TCP
            2025-03-17T13:03:38.773740+010028032742Potentially Bad Traffic192.168.2.949683158.101.44.24280TCP
            2025-03-17T13:03:39.980568+010028032742Potentially Bad Traffic192.168.2.949686158.101.44.24280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM/sendMessage?chat_id=5521168189", "Token": "8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM", "Chat_id": "5521168189", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: RFQ 306 & 307.exeReversingLabs: Detection: 36%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Sample uses string decryption to hide its real strings
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor:
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor: 8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor: 5521168189
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor:
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor: 8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor: 5521168189
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor:
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor: 8052404957:AAEV5F264213Kb-8sgs9T2xYdxlZT-kESiM
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpackString decryptor: 5521168189

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: RFQ 306 & 307.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49684 version: TLS 1.0
            Source: RFQ 306 & 307.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: xoyT.pdb source: RFQ 306 & 307.exe
            Source: Binary string: xoyT.pdbSHA256\ source: RFQ 306 & 307.exe
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 00ACF1F6h1_2_00ACF007
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 00ACFB80h1_2_00ACF007
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_00ACE528
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06501A38h1_2_06501620
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06501011h1_2_06500D60
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 065002F1h1_2_06500040
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06501471h1_2_065011C0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650C8F1h1_2_0650C648
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650F8B9h1_2_0650F610
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06501A38h1_2_06501610
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650D1A1h1_2_0650CEF8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650DA51h1_2_0650D7A8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650DEA9h1_2_0650DC00
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650B791h1_2_0650B4E8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650E759h1_2_0650E4B0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06500751h1_2_065004A0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650F009h1_2_0650ED60
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650C041h1_2_0650BD98
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650FD11h1_2_0650FA68
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650CD49h1_2_0650CAA0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650D5F9h1_2_0650D350
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650E301h1_2_0650E058
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650BBE9h1_2_0650B940
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06501A38h1_2_06501966
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06500BB1h1_2_06500900
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650EBB1h1_2_0650E908
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650C499h1_2_0650C1F0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 0650F461h1_2_0650F1B8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06538945h1_2_06538608
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06535D19h1_2_06535A70
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 065358C1h1_2_06535618
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06536171h1_2_06535EC8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06536A21h1_2_06536778
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 065365C9h1_2_06536320
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06536E79h1_2_06536BD0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_065333B8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_065333A8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 065372FAh1_2_06537050
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 065302E9h1_2_06530040
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06530B99h1_2_065308F0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06530741h1_2_06530498
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06537751h1_2_065374A8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06538001h1_2_06537D58
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06530FF1h1_2_06530D48
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06537BA9h1_2_06537900
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06535441h1_2_06535198
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 4x nop then jmp 06538459h1_2_065381B0
            Source: global trafficTCP traffic: 192.168.2.9:63002 -> 162.159.36.2:53
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
            Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49686 -> 158.101.44.242:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49683 -> 158.101.44.242:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49695 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49685 -> 104.21.48.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49693 -> 104.21.48.1:443
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49684 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029E8000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002947000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002938000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.000000000298A000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029E8000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002947000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/X
            Source: RFQ 306 & 307.exe, 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgX
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.000000000295F000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029E8000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.000000000298A000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029E8000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002947000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: RFQ 306 & 307.exe, 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002947000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002947000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.000000000298A000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029E8000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189X
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
            Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: RFQ 306 & 307.exe
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_00B1D6FC0_2_00B1D6FC
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_04A77C680_2_04A77C68
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_04A701200_2_04A70120
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_04A701300_2_04A70130
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_04A77C480_2_04A77C48
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_067472D00_2_067472D0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_0674A7FF0_2_0674A7FF
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_067472C30_2_067472C3
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_0674A3D80_2_0674A3D8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_06749FA00_2_06749FA0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_0674AC480_2_0674AC48
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_0674A8100_2_0674A810
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_0674C9380_2_0674C938
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_067800400_2_06780040
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_067800070_2_06780007
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACF0071_2_00ACF007
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00AC61081_2_00AC6108
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACB3281_2_00ACB328
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACC4701_2_00ACC470
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00AC67301_2_00AC6730
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACC7511_2_00ACC751
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00AC98581_2_00AC9858
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00AC4AD91_2_00AC4AD9
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACCA311_2_00ACCA31
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACBBD31_2_00ACBBD3
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACBEB01_2_00ACBEB0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACB4F31_2_00ACB4F3
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACE5281_2_00ACE528
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00ACE5171_2_00ACE517
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_00AC35701_2_00AC3570
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065084601_2_06508460
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06500D601_2_06500D60
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06507B701_2_06507B70
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065000401_2_06500040
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065038701_2_06503870
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065011C01_2_065011C0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650C6481_2_0650C648
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650F6101_2_0650F610
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650F6001_2_0650F600
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650C6381_2_0650C638
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650CEF81_2_0650CEF8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650CEEA1_2_0650CEEA
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650D7981_2_0650D798
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650D7A81_2_0650D7A8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650DC001_2_0650DC00
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650B4D71_2_0650B4D7
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650B4E81_2_0650B4E8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065004901_2_06500490
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650E4B01_2_0650E4B0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065004A01_2_065004A0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650E4A01_2_0650E4A0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650ED501_2_0650ED50
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06500D511_2_06500D51
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650ED601_2_0650ED60
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06507D901_2_06507D90
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650BD981_2_0650BD98
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650BD881_2_0650BD88
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650FA591_2_0650FA59
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650FA681_2_0650FA68
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650CAA01_2_0650CAA0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650D3501_2_0650D350
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650D3401_2_0650D340
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065073D81_2_065073D8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650DBF11_2_0650DBF1
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065073E81_2_065073E8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650E0581_2_0650E058
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650E0491_2_0650E049
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065038601_2_06503860
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650001E1_2_0650001E
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065008F01_2_065008F0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650E8F81_2_0650E8F8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650B9401_2_0650B940
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065009001_2_06500900
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650E9081_2_0650E908
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650B9301_2_0650B930
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650C1F01_2_0650C1F0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650C1E01_2_0650C1E0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065011B01_2_065011B0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650F1B81_2_0650F1B8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0650F1A91_2_0650F1A9
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653AA581_2_0653AA58
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653D6701_2_0653D670
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065386081_2_06538608
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653B6E81_2_0653B6E8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653C3881_2_0653C388
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06538C511_2_06538C51
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653A4081_2_0653A408
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653D0281_2_0653D028
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653B0A01_2_0653B0A0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653BD381_2_0653BD38
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653C9D81_2_0653C9D8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065311A01_2_065311A0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653AA481_2_0653AA48
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06535A701_2_06535A70
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653D6621_2_0653D662
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06535A601_2_06535A60
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065356181_2_06535618
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065386021_2_06538602
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653560A1_2_0653560A
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653B6D91_2_0653B6D9
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06535EC81_2_06535EC8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06535EB81_2_06535EB8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065367781_2_06536778
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653C3781_2_0653C378
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065363121_2_06536312
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065337301_2_06533730
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065363201_2_06536320
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06536BD01_2_06536BD0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06536BC11_2_06536BC1
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653A3F81_2_0653A3F8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065333B81_2_065333B8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065333A81_2_065333A8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065370501_2_06537050
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065300401_2_06530040
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065370491_2_06537049
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065328181_2_06532818
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653D0181_2_0653D018
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065328071_2_06532807
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065300061_2_06530006
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065344301_2_06534430
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065308F01_2_065308F0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065378F01_2_065378F0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065308E01_2_065308E0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065374971_2_06537497
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065304981_2_06530498
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065304881_2_06530488
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653B08F1_2_0653B08F
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065374A81_2_065374A8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06537D581_2_06537D58
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06530D481_2_06530D48
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06537D481_2_06537D48
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065379001_2_06537900
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06530D391_2_06530D39
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653BD281_2_0653BD28
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653C9C81_2_0653C9C8
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065311911_2_06531191
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065351981_2_06535198
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_0653518A1_2_0653518A
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065381B01_2_065381B0
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_065381A01_2_065381A0
            Source: RFQ 306 & 307.exe, 00000000.00000002.974155245.00000000024F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000000.957874288.00000000001EE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexoyT.exe( vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.971787545.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.977662571.0000000006980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.981966686.0000000008950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.974155245.00000000025E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000000.00000002.974155245.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exe, 00000001.00000002.3417770143.0000000000937000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exeBinary or memory string: OriginalFilenamexoyT.exe( vs RFQ 306 & 307.exe
            Source: RFQ 306 & 307.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: RFQ 306 & 307.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, -C.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, -C.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, -C.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, -C.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, TWFk1hsDU74sZHvD9d.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, TWFk1hsDU74sZHvD9d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, TWFk1hsDU74sZHvD9d.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, TWFk1hsDU74sZHvD9d.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, q1BKUVwJQkg2RGYPU1.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, q1BKUVwJQkg2RGYPU1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, q1BKUVwJQkg2RGYPU1.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, q1BKUVwJQkg2RGYPU1.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, q1BKUVwJQkg2RGYPU1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, q1BKUVwJQkg2RGYPU1.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ 306 & 307.exe.logJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMutant created: NULL
            Source: RFQ 306 & 307.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: RFQ 306 & 307.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3420124355.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, RFQ 306 & 307.exe, 00000001.00000002.3421677424.000000000390E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: RFQ 306 & 307.exeReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ 306 & 307.exe "C:\Users\user\Desktop\RFQ 306 & 307.exe"
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess created: C:\Users\user\Desktop\RFQ 306 & 307.exe "C:\Users\user\Desktop\RFQ 306 & 307.exe"
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess created: C:\Users\user\Desktop\RFQ 306 & 307.exe "C:\Users\user\Desktop\RFQ 306 & 307.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: RFQ 306 & 307.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: RFQ 306 & 307.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: RFQ 306 & 307.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: xoyT.pdb source: RFQ 306 & 307.exe
            Source: Binary string: xoyT.pdbSHA256\ source: RFQ 306 & 307.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, q1BKUVwJQkg2RGYPU1.cs.Net Code: TWE9lrV68k System.Reflection.Assembly.Load(byte[])
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, q1BKUVwJQkg2RGYPU1.cs.Net Code: TWE9lrV68k System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 0_2_0674975F push 1806B439h; retf 0_2_0674976D
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06502E60 push esp; iretd 1_2_06502E79
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06506F13 push es; ret 1_2_06506FE4
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06506F8B push es; ret 1_2_06506FE4
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06507059 push es; iretd 1_2_0650705C
            Source: RFQ 306 & 307.exeStatic PE information: section name: .text entropy: 7.776419308097989
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, oLLT1fuQKA0ItyO97rK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KVcVjNjWjo', 'loAVQYftFu', 'QWKVWKbwrY', 'QvEVVf0QW2', 'kOYVKggWn7', 'GR7VtPa7Kc', 'dKWV1QxyGh'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, DsaEphH2MIsygfMQr6.csHigh entropy of concatenated method names: 'kAmo2w1Khx', 'DFgohMIYlc', 'vkPocXlFi8', 'UH7owrYKTr', 'T3IorIFcSx', 'h48o88DSQC', 'n3koS2K0fW', 'Ll8omefWxV', 'JP2ojwv0dQ', 'iUeoQvYi0B'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, XVPZfyhhPA7FaJJ7JP.csHigh entropy of concatenated method names: 'OHvlhh39Q', 'vUU20nZ8J', 'ibth9Hu5I', 'F4EM4a37w', 'IWWwJl1FJ', 'xC6bKYMMU', 'rFK9dZlnhCuD9j2vNl', 'HwelMtrRIe9B1INrs8', 'tvcmDoNJC', 'd0yQFqe8j'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, DkuypGxrD9A15a6kja.csHigh entropy of concatenated method names: 'Dispose', 'd8WG0T06OT', 'gbWTO8YOFT', 'diJVFJUj5E', 'ww6G67MlCL', 'tXnGzbwQ6Z', 'ProcessDialogKey', 'YRSTBwQ6Oy', 'lp4TGJxxk1', 'uhQTToi43l'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, F4dCuiQAR63FGGlGah.csHigh entropy of concatenated method names: 'IqkGyhyWmV', 'fWsGNkwfQb', 'AjtGqoi7cN', 'DfgGRZ8kpB', 'lrQGrQdfZw', 'JUgG8E5ovw', 'QsWYvWaoVfTxQ0xFHD', 'qCUVeQeuIgjCDN5lVp', 'S1VGG6jJNM', 'FCtGkobYPv'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, BvJWnU2ehoJXWiR5lk.csHigh entropy of concatenated method names: 'dTFju1oLxU', 'DeQjOep4kZ', 'ROUjZ1ZleC', 'hkIjYrL91L', 'PpPj3W18g5', 'fr3jUqesCr', 'tdjjXS4Cic', 'JHcjv3a7Iq', 'VlxjgfoUV4', 'MjLjas20Qf'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, EKZyeY3TsjB3XWq34g.csHigh entropy of concatenated method names: 'EaljrSegLn', 'KPKjSAxnUj', 'pohjjfnblG', 'Oq2jWTXqF4', 'aucjKs7Qnl', 'rrxj1sxRGG', 'Dispose', 'A4PmI0HCAN', 'elKmAbO019', 'ggfmoh2bj8'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, Lynkvxipa86qHxAK7X.csHigh entropy of concatenated method names: 'iQWSisEE9M', 'CN9S6TicVV', 'odmmBkcspF', 'yVXmGJPFHA', 'h64S5uEP2V', 'rwISEPftH3', 'dGwSJByre8', 'tVjSs0A4po', 'z19SCw6avV', 'ApVSHr6uyH'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, uUKjitjVF91h3NcCAo.csHigh entropy of concatenated method names: 'mdty7Jg7Ll', 'Hm4yLYRYmi', 'A6iylsInuN', 'NImy2y0MJb', 'tOjypWc9qr', 'OIcyh3tpdt', 'AWmyMEYR0D', 'XMiycdyx3C', 'xr6ywBK3XC', 'OXnybLBYgX'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, TWFk1hsDU74sZHvD9d.csHigh entropy of concatenated method names: 'e9lAs3A8yl', 'xhbACW2EMJ', 'PjFAH0KHNp', 'bX0Ax5WTiY', 'Fb0AFF8f49', 'W0NAey2STN', 'I9HAP783nC', 'Md0AiVB7FT', 'WNRA0mPBjh', 'GX2A6u4L5c'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, E7fD9jXGOJD1inusCC.csHigh entropy of concatenated method names: 'eDrDdxNkSc', 'qcvDAHDhMk', 'dUiDnWKbpD', 'RnfDyZfl28', 'lctDNumexR', 'fG5nFZtmd0', 'IBFneM858q', 'krxnP22EH3', 'b5NnihYpC1', 'Eqkn0a0aLf'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, CdBfC3uupV4v5U2jLkx.csHigh entropy of concatenated method names: 'l5FQ6tRFQQ', 'goeQz9tevY', 'fU6WBrNeNS', 'JgjWGr3MVk', 'bg6WT7H32M', 'bjdWkgUonY', 's7HW9ST0WP', 'Wh8Wd33bZV', 'mOSWIXCuYu', 'zNCWAlM47d'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, u4hKfXuvyTf2ayl5SKl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ESWQ5xADun', 'h5EQEBtPH0', 'zjqQJ4ML4L', 'Oe9QsGLny0', 'zpbQCsiqvM', 'a4YQHDS2wm', 'RH7QxnvygP'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, pNFTLtP5U3nquNxMVY.csHigh entropy of concatenated method names: 'fjlraQJRNI', 'F3OrEIZYGS', 'me1rsjhdvy', 'zKjrCSajbl', 'ELArORYUvP', 'Ya7rZMdkVG', 'dMkrYwYmsO', 'lbYr35Irxu', 'k1yrUApJlW', 'SF9rXtDhWQ'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, sEwaNB7v2upKp0WSxd.csHigh entropy of concatenated method names: 'ToString', 'UfY85ZaQM0', 'pI88O6xtH3', 'zwI8ZRlFMa', 'yt68Yi0E1D', 'vd683bBxpl', 'wvG8UiraW2', 'zrH8XOwjw9', 'W7d8v1Q1qL', 'otA8gWPBCP'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, RhEa5hWtp6VJt1yayH.csHigh entropy of concatenated method names: 'eMD4cIec5q', 'JPn4wU0VbP', 'SK14uSPl5v', 'QSM4OCJWq4', 'cxX4Y9CauZ', 'dGh43LMNUy', 'qZp4XgRdTR', 'VX24vU8f6k', 'M0N4aCDLR4', 'VTd45vdXCs'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, q1BKUVwJQkg2RGYPU1.csHigh entropy of concatenated method names: 'MNDkdcTblx', 'pS6kI5VjBd', 'OeYkAtInfU', 'DwEkodQO8q', 'yKYknFTUbH', 'UEIkDVyPbA', 'E0nkyqHk7T', 'mQ2kNlCjBX', 'e1Tkfs8hr3', 'AGBkqtRE5m'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, z1GVU4kGypXRGrLIRZ.csHigh entropy of concatenated method names: 'oVBQopk4Y7', 'w55QnWwt2l', 'db4QDe9mB3', 'zimQy1kPql', 'C2IQj8kH7M', 'IMdQNIfLh2', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, WrkQmnzvYLcCGunCKP.csHigh entropy of concatenated method names: 'QsoQhSqkr6', 'R0bQcd09dP', 'taXQwUGKnU', 'bn3QuXZfxb', 'iZLQORgfaD', 'B4RQYiUqNt', 'n75Q3d91RN', 'UCwQ1L5vIP', 'nrcQ7rI36p', 'g4wQLPrB2L'
            Source: 0.2.RFQ 306 & 307.exe.6980000.4.raw.unpack, wQqLynYYpa7i8cEsW1.csHigh entropy of concatenated method names: 'mhwyIrFgb7', 'Dk0yoAiG5Y', 'UQMyDtDKT8', 'RYPD6dgfQX', 'AUZDz24nvq', 'akuyBhoZPK', 'z4FyGBUR99', 'VfMyTMNf2M', 't0Xykv8ywm', 'lSjy97DPcc'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, oLLT1fuQKA0ItyO97rK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KVcVjNjWjo', 'loAVQYftFu', 'QWKVWKbwrY', 'QvEVVf0QW2', 'kOYVKggWn7', 'GR7VtPa7Kc', 'dKWV1QxyGh'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, DsaEphH2MIsygfMQr6.csHigh entropy of concatenated method names: 'kAmo2w1Khx', 'DFgohMIYlc', 'vkPocXlFi8', 'UH7owrYKTr', 'T3IorIFcSx', 'h48o88DSQC', 'n3koS2K0fW', 'Ll8omefWxV', 'JP2ojwv0dQ', 'iUeoQvYi0B'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, XVPZfyhhPA7FaJJ7JP.csHigh entropy of concatenated method names: 'OHvlhh39Q', 'vUU20nZ8J', 'ibth9Hu5I', 'F4EM4a37w', 'IWWwJl1FJ', 'xC6bKYMMU', 'rFK9dZlnhCuD9j2vNl', 'HwelMtrRIe9B1INrs8', 'tvcmDoNJC', 'd0yQFqe8j'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, DkuypGxrD9A15a6kja.csHigh entropy of concatenated method names: 'Dispose', 'd8WG0T06OT', 'gbWTO8YOFT', 'diJVFJUj5E', 'ww6G67MlCL', 'tXnGzbwQ6Z', 'ProcessDialogKey', 'YRSTBwQ6Oy', 'lp4TGJxxk1', 'uhQTToi43l'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, F4dCuiQAR63FGGlGah.csHigh entropy of concatenated method names: 'IqkGyhyWmV', 'fWsGNkwfQb', 'AjtGqoi7cN', 'DfgGRZ8kpB', 'lrQGrQdfZw', 'JUgG8E5ovw', 'QsWYvWaoVfTxQ0xFHD', 'qCUVeQeuIgjCDN5lVp', 'S1VGG6jJNM', 'FCtGkobYPv'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, BvJWnU2ehoJXWiR5lk.csHigh entropy of concatenated method names: 'dTFju1oLxU', 'DeQjOep4kZ', 'ROUjZ1ZleC', 'hkIjYrL91L', 'PpPj3W18g5', 'fr3jUqesCr', 'tdjjXS4Cic', 'JHcjv3a7Iq', 'VlxjgfoUV4', 'MjLjas20Qf'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, EKZyeY3TsjB3XWq34g.csHigh entropy of concatenated method names: 'EaljrSegLn', 'KPKjSAxnUj', 'pohjjfnblG', 'Oq2jWTXqF4', 'aucjKs7Qnl', 'rrxj1sxRGG', 'Dispose', 'A4PmI0HCAN', 'elKmAbO019', 'ggfmoh2bj8'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, Lynkvxipa86qHxAK7X.csHigh entropy of concatenated method names: 'iQWSisEE9M', 'CN9S6TicVV', 'odmmBkcspF', 'yVXmGJPFHA', 'h64S5uEP2V', 'rwISEPftH3', 'dGwSJByre8', 'tVjSs0A4po', 'z19SCw6avV', 'ApVSHr6uyH'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, uUKjitjVF91h3NcCAo.csHigh entropy of concatenated method names: 'mdty7Jg7Ll', 'Hm4yLYRYmi', 'A6iylsInuN', 'NImy2y0MJb', 'tOjypWc9qr', 'OIcyh3tpdt', 'AWmyMEYR0D', 'XMiycdyx3C', 'xr6ywBK3XC', 'OXnybLBYgX'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, TWFk1hsDU74sZHvD9d.csHigh entropy of concatenated method names: 'e9lAs3A8yl', 'xhbACW2EMJ', 'PjFAH0KHNp', 'bX0Ax5WTiY', 'Fb0AFF8f49', 'W0NAey2STN', 'I9HAP783nC', 'Md0AiVB7FT', 'WNRA0mPBjh', 'GX2A6u4L5c'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, E7fD9jXGOJD1inusCC.csHigh entropy of concatenated method names: 'eDrDdxNkSc', 'qcvDAHDhMk', 'dUiDnWKbpD', 'RnfDyZfl28', 'lctDNumexR', 'fG5nFZtmd0', 'IBFneM858q', 'krxnP22EH3', 'b5NnihYpC1', 'Eqkn0a0aLf'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, CdBfC3uupV4v5U2jLkx.csHigh entropy of concatenated method names: 'l5FQ6tRFQQ', 'goeQz9tevY', 'fU6WBrNeNS', 'JgjWGr3MVk', 'bg6WT7H32M', 'bjdWkgUonY', 's7HW9ST0WP', 'Wh8Wd33bZV', 'mOSWIXCuYu', 'zNCWAlM47d'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, u4hKfXuvyTf2ayl5SKl.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ESWQ5xADun', 'h5EQEBtPH0', 'zjqQJ4ML4L', 'Oe9QsGLny0', 'zpbQCsiqvM', 'a4YQHDS2wm', 'RH7QxnvygP'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, pNFTLtP5U3nquNxMVY.csHigh entropy of concatenated method names: 'fjlraQJRNI', 'F3OrEIZYGS', 'me1rsjhdvy', 'zKjrCSajbl', 'ELArORYUvP', 'Ya7rZMdkVG', 'dMkrYwYmsO', 'lbYr35Irxu', 'k1yrUApJlW', 'SF9rXtDhWQ'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, sEwaNB7v2upKp0WSxd.csHigh entropy of concatenated method names: 'ToString', 'UfY85ZaQM0', 'pI88O6xtH3', 'zwI8ZRlFMa', 'yt68Yi0E1D', 'vd683bBxpl', 'wvG8UiraW2', 'zrH8XOwjw9', 'W7d8v1Q1qL', 'otA8gWPBCP'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, RhEa5hWtp6VJt1yayH.csHigh entropy of concatenated method names: 'eMD4cIec5q', 'JPn4wU0VbP', 'SK14uSPl5v', 'QSM4OCJWq4', 'cxX4Y9CauZ', 'dGh43LMNUy', 'qZp4XgRdTR', 'VX24vU8f6k', 'M0N4aCDLR4', 'VTd45vdXCs'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, q1BKUVwJQkg2RGYPU1.csHigh entropy of concatenated method names: 'MNDkdcTblx', 'pS6kI5VjBd', 'OeYkAtInfU', 'DwEkodQO8q', 'yKYknFTUbH', 'UEIkDVyPbA', 'E0nkyqHk7T', 'mQ2kNlCjBX', 'e1Tkfs8hr3', 'AGBkqtRE5m'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, z1GVU4kGypXRGrLIRZ.csHigh entropy of concatenated method names: 'oVBQopk4Y7', 'w55QnWwt2l', 'db4QDe9mB3', 'zimQy1kPql', 'C2IQj8kH7M', 'IMdQNIfLh2', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, WrkQmnzvYLcCGunCKP.csHigh entropy of concatenated method names: 'QsoQhSqkr6', 'R0bQcd09dP', 'taXQwUGKnU', 'bn3QuXZfxb', 'iZLQORgfaD', 'B4RQYiUqNt', 'n75Q3d91RN', 'UCwQ1L5vIP', 'nrcQ7rI36p', 'g4wQLPrB2L'
            Source: 0.2.RFQ 306 & 307.exe.368f7b0.2.raw.unpack, wQqLynYYpa7i8cEsW1.csHigh entropy of concatenated method names: 'mhwyIrFgb7', 'Dk0yoAiG5Y', 'UQMyDtDKT8', 'RYPD6dgfQX', 'AUZDz24nvq', 'akuyBhoZPK', 'z4FyGBUR99', 'VfMyTMNf2M', 't0Xykv8ywm', 'lSjy97DPcc'
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: B10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: 44E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: 8C20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: 9C20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: 9E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: AE40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: AC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599016Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598782Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598669Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598452Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598338Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598097Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597859Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597750Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597641Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597531Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597422Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597313Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597188Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597065Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596938Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596719Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596172Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596061Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595844Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595730Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595612Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595484Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595372Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595265Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595112Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594938Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594813Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594688Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594578Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594469Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594344Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594125Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594016Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeWindow / User API: threadDelayed 1446Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeWindow / User API: threadDelayed 8391Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 6796Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5792Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -35048813740048126s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 4772Thread sleep count: 1446 > 30Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 4772Thread sleep count: 8391 > 30Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -599016s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598782s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598669s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598452s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598338s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -598097s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597969s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597750s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597422s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -597065s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596938s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596828s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596719s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596172s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -596061s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595730s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595612s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595372s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -595112s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594938s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594578s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594469s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exe TID: 5356Thread sleep time: -594016s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 599016Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598782Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598669Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598562Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598452Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598338Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 598097Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597859Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597750Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597641Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597531Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597422Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597313Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597188Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 597065Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596938Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596719Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596172Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 596061Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595844Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595730Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595612Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595484Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595372Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595265Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 595112Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594938Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594813Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594688Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594578Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594469Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594344Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594234Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594125Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeThread delayed: delay time: 594016Jump to behavior
            Source: RFQ 306 & 307.exe, 00000001.00000002.3418780169.0000000000B06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeCode function: 1_2_06507B70 LdrInitializeThunk,1_2_06507B70
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeMemory written: C:\Users\user\Desktop\RFQ 306 & 307.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeProcess created: C:\Users\user\Desktop\RFQ 306 & 307.exe "C:\Users\user\Desktop\RFQ 306 & 307.exe"Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Users\user\Desktop\RFQ 306 & 307.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Users\user\Desktop\RFQ 306 & 307.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3420124355.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3420124355.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\RFQ 306 & 307.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 1.2.RFQ 306 & 307.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3557160.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3577b80.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3577b80.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ 306 & 307.exe.3557160.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.3417519424.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3420124355.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.974808957.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.3420124355.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ 306 & 307.exe PID: 716, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RFQ 306 & 307.exe PID: 5560, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            Security Software Discovery            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.