Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ_ 21072021.exe

Overview

General Information

Sample Name:RFQ_ 21072021.exe
Analysis ID:452459
MD5:0a74cbd4246a6e11077876c572a3d507
SHA1:0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
SHA256:4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • RFQ_ 21072021.exe (PID: 4792 cmdline: 'C:\Users\user\Desktop\RFQ_ 21072021.exe' MD5: 0A74CBD4246A6E11077876C572A3D507)
    • RFQ_ 21072021.exe (PID: 2408 cmdline: C:\Users\user\Desktop\RFQ_ 21072021.exe MD5: 0A74CBD4246A6E11077876C572A3D507)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RFQ_ 21072021.exe PID: 2408JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RFQ_ 21072021.exe PID: 2408JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RFQ_ 21072021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RFQ_ 21072021.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: RFQ_ 21072021.exeVirustotal: Detection: 30%Perma Link
                Source: RFQ_ 21072021.exeReversingLabs: Detection: 15%
                Machine Learning detection for sampleShow sources
                Source: RFQ_ 21072021.exeJoe Sandbox ML: detected
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: RFQ_ 21072021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RFQ_ 21072021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587
                Source: Joe Sandbox ViewIP Address: 188.93.227.195 188.93.227.195
                Source: Joe Sandbox ViewASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587
                Source: unknownDNS traffic detected: queries for: mail.tccinfaes.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RFQ_ 21072021.exe, 00000005.00000002.473275358.00000000034E4000.00000004.00000001.sdmpString found in binary or memory: http://TryUj9XyxT6LakY.org
                Source: RFQ_ 21072021.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://mail.tccinfaes.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://tccinfaes.com
                Source: RFQ_ 21072021.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://xmALXm.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8EE18770u002dEECEu002d4ADFu002d9E9Eu002d074DF25730B2u007d/u00311D6105Cu002dDC1Du002d4AAAu002d8C1Bu002dC3E13237EBD4.csLarge array initialization: .cctor: array initializer size 11960
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014FC8985_2_014FC898
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F2B985_2_014F2B98
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F55E05_2_014F55E0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F86905_2_014F8690
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F0B105_2_014F0B10
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F2B845_2_014F2B84
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47A05_2_015A47A0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A3E4A5_2_015A3E4A
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47525_2_015A4752
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47905_2_015A4790
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015AD6615_2_015AD661
                Source: RFQ_ 21072021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RFQ_ 21072021.exe, 00000000.00000000.200067110.00000000005DA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470604186.00000000015CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470440078.0000000001500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamegzwcjkfsADBjJOEQlRwAtFYMhaFmnBBLEezh.exe4 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000000.251584660.0000000000E5A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.468933088.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.469162239.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exeBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RFQ_ 21072021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_ 21072021.exe.logJump to behavior
                Source: RFQ_ 21072021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RFQ_ 21072021.exeVirustotal: Detection: 30%
                Source: RFQ_ 21072021.exeReversingLabs: Detection: 15%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe 'C:\Users\user\Desktop\RFQ_ 21072021.exe'
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exeJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: RFQ_ 21072021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RFQ_ 21072021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014FADEB pushad ; retf 5_2_014FADF1
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56840197347
                Source: RFQ_ 21072021.exe, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: RFQ_ 21072021.exe, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: RFQ_ 21072021.exe, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: RFQ_ 21072021.exe, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: RFQ_ 21072021.exe, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: RFQ_ 21072021.exe, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: RFQ_ 21072021.exe, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: RFQ_ 21072021.exe, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: RFQ_ 21072021.exe, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: RFQ_ 21072021.exe, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: RFQ_ 21072021.exe, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: RFQ_ 21072021.exe, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: RFQ_ 21072021.exe, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: RFQ_ 21072021.exe, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWindow / User API: threadDelayed 968Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWindow / User API: threadDelayed 8887Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 4872Thread sleep time: -45897s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 1492Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412Thread sleep count: 968 > 30Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412Thread sleep count: 8887 > 30Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 45897Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RFQ_ 21072021.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RFQ_ 21072021.exe, 00000005.00000002.470729166.000000000166F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA=q
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F11B0 LdrInitializeThunk,5_2_014F11B0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeMemory written: C:\Users\user\Desktop\RFQ_ 21072021.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exeJump to behavior
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Users\user\Desktop\RFQ_ 21072021.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Deskto