Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ_ 21072021.exe

Overview

General Information

Sample Name:RFQ_ 21072021.exe
Analysis ID:452459
MD5:0a74cbd4246a6e11077876c572a3d507
SHA1:0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
SHA256:4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • RFQ_ 21072021.exe (PID: 4792 cmdline: 'C:\Users\user\Desktop\RFQ_ 21072021.exe' MD5: 0A74CBD4246A6E11077876C572A3D507)
    • RFQ_ 21072021.exe (PID: 2408 cmdline: C:\Users\user\Desktop\RFQ_ 21072021.exe MD5: 0A74CBD4246A6E11077876C572A3D507)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RFQ_ 21072021.exe PID: 2408JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RFQ_ 21072021.exe PID: 2408JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RFQ_ 21072021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RFQ_ 21072021.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: RFQ_ 21072021.exeVirustotal: Detection: 30%Perma Link
                Source: RFQ_ 21072021.exeReversingLabs: Detection: 15%
                Machine Learning detection for sampleShow sources
                Source: RFQ_ 21072021.exeJoe Sandbox ML: detected
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: RFQ_ 21072021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RFQ_ 21072021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587
                Source: Joe Sandbox ViewIP Address: 188.93.227.195 188.93.227.195
                Source: Joe Sandbox ViewASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587
                Source: unknownDNS traffic detected: queries for: mail.tccinfaes.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RFQ_ 21072021.exe, 00000005.00000002.473275358.00000000034E4000.00000004.00000001.sdmpString found in binary or memory: http://TryUj9XyxT6LakY.org
                Source: RFQ_ 21072021.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://mail.tccinfaes.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://tccinfaes.com
                Source: RFQ_ 21072021.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://xmALXm.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8EE18770u002dEECEu002d4ADFu002d9E9Eu002d074DF25730B2u007d/u00311D6105Cu002dDC1Du002d4AAAu002d8C1Bu002dC3E13237EBD4.csLarge array initialization: .cctor: array initializer size 11960
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014FC8985_2_014FC898
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F2B985_2_014F2B98
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F55E05_2_014F55E0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F86905_2_014F8690
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F0B105_2_014F0B10
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F2B845_2_014F2B84
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47A05_2_015A47A0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A3E4A5_2_015A3E4A
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47525_2_015A4752
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47905_2_015A4790
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015AD6615_2_015AD661
                Source: RFQ_ 21072021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RFQ_ 21072021.exe, 00000000.00000000.200067110.00000000005DA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470604186.00000000015CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470440078.0000000001500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamegzwcjkfsADBjJOEQlRwAtFYMhaFmnBBLEezh.exe4 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000000.251584660.0000000000E5A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.468933088.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.469162239.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exeBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RFQ_ 21072021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_ 21072021.exe.logJump to behavior
                Source: RFQ_ 21072021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RFQ_ 21072021.exeVirustotal: Detection: 30%
                Source: RFQ_ 21072021.exeReversingLabs: Detection: 15%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe 'C:\Users\user\Desktop\RFQ_ 21072021.exe'
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exeJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: RFQ_ 21072021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RFQ_ 21072021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014FADEB pushad ; retf 5_2_014FADF1
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56840197347
                Source: RFQ_ 21072021.exe, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: RFQ_ 21072021.exe, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: RFQ_ 21072021.exe, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: RFQ_ 21072021.exe, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: RFQ_ 21072021.exe, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: RFQ_ 21072021.exe, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: RFQ_ 21072021.exe, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: RFQ_ 21072021.exe, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: RFQ_ 21072021.exe, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: RFQ_ 21072021.exe, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: RFQ_ 21072021.exe, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: RFQ_ 21072021.exe, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: RFQ_ 21072021.exe, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: RFQ_ 21072021.exe, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWindow / User API: threadDelayed 968Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWindow / User API: threadDelayed 8887Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 4872Thread sleep time: -45897s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 1492Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412Thread sleep count: 968 > 30Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412Thread sleep count: 8887 > 30Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 45897Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RFQ_ 21072021.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RFQ_ 21072021.exe, 00000005.00000002.470729166.000000000166F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA=q
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F11B0 LdrInitializeThunk,5_2_014F11B0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeMemory written: C:\Users\user\Desktop\RFQ_ 21072021.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exeJump to behavior
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Users\user\Desktop\RFQ_ 21072021.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Users\user\Desktop\RFQ_ 21072021.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery111Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ_ 21072021.exe30%VirustotalBrowse
                RFQ_ 21072021.exe15%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                RFQ_ 21072021.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                5.2.RFQ_ 21072021.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                tccinfaes.com1%VirustotalBrowse
                mail.tccinfaes.com2%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://mail.tccinfaes.com2%VirustotalBrowse
                http://mail.tccinfaes.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://tccinfaes.com0%Avira URL Cloudsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://TryUj9XyxT6LakY.org0%Avira URL Cloudsafe
                http://xmALXm.com0%Avira URL Cloudsafe
                http://r3.i.lencr.org/0)0%URL Reputationsafe
                http://r3.i.lencr.org/0)0%URL Reputationsafe
                http://r3.i.lencr.org/0)0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tccinfaes.com
                		188.93.227.195
                		truetrueunknown
                mail.tccinfaes.com
                		unknown
                		unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://mail.tccinfaes.comRFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://127.0.0.1:HTTP/1.1RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://DynDns.comDynDNSRFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://cps.letsencrypt.org0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://x1.c.lencr.org/0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://x1.i.lencr.org/0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://tccinfaes.comRFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://api.twitter.com/1/direct_messages.xml?since_id=RFQ_ 21072021.exefalse
                  		high
                  http://r3.o.lencr.org0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://TryUj9XyxT6LakY.orgRFQ_ 21072021.exe, 00000005.00000002.473275358.00000000034E4000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://xmALXm.comRFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://twitter.com/statuses/user_timeline.xml?screen_name=RFQ_ 21072021.exefalse
                    		high
                    http://r3.i.lencr.org/0)RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://cps.root-x1.letsencrypt.org0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    188.93.227.195
                    		tccinfaes.comPortugal
                    		8426CLARANET-ASClaraNETLTDGBtrue

                    General Information

                    Joe Sandbox Version:33.0.0 White Diamond
                    Analysis ID:452459
                    Start date:22.07.2021
                    Start time:12:00:04
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 7s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:RFQ_ 21072021.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                    EGA Information:
                    • Successful, ratio: 50%
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 21
                    • Number of non-executed functions: 2
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 40.88.32.150, 23.211.6.115, 52.147.198.201, 20.82.210.154, 23.211.4.86, 40.112.88.60, 93.184.221.240, 80.67.82.211, 80.67.82.235
                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:01:14API Interceptor663x Sleep call for process: RFQ_ 21072021.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    188.93.227.195NRPwo7uSCaLmXtV.exeGet hashmaliciousBrowse
                      zam#U00f3w 1536625_pdf.exeGet hashmaliciousBrowse
                        SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                          5evmU6c7Nx.exeGet hashmaliciousBrowse
                            Zam#U00f3wienie-017.2021.exeGet hashmaliciousBrowse
                              PO HDT01-07.xlsxGet hashmaliciousBrowse
                                184285013-044310-sanlccjavap0003-7069.exeGet hashmaliciousBrowse
                                  PO DOCS 30-06.xlsxGet hashmaliciousBrowse
                                    qiKDsbFyzQ.exeGet hashmaliciousBrowse
                                      PO DHS312445.xlsxGet hashmaliciousBrowse
                                        SecuriteInfo.com.W32.MSIL_Kryptik.DVA.genEldorado.15172.exeGet hashmaliciousBrowse
                                          TRANSFER SLIP00020212405_pdf.exeGet hashmaliciousBrowse
                                            RFQ-284683839.001.exeGet hashmaliciousBrowse
                                              Dane bankowe.exeGet hashmaliciousBrowse
                                                33aee36c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                  Dane bankowe.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CLARANET-ASClaraNETLTDGB5qpsqg7U0GGet hashmaliciousBrowse
                                                    • 185.77.75.98
                                                    8wzyljMmmnGet hashmaliciousBrowse
                                                    • 138.248.76.96
                                                    AT9n7Bk0yEGet hashmaliciousBrowse
                                                    • 195.8.76.231
                                                    0aC0TBcdxbGet hashmaliciousBrowse
                                                    • 195.170.117.46
                                                    NRPwo7uSCaLmXtV.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    zam#U00f3w 1536625_pdf.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    5evmU6c7Nx.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    Zam#U00f3wienie-017.2021.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    PO HDT01-07.xlsxGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    184285013-044310-sanlccjavap0003-7069.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    PO DOCS 30-06.xlsxGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    qiKDsbFyzQ.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    PO DHS312445.xlsxGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    SecuriteInfo.com.W32.MSIL_Kryptik.DVA.genEldorado.15172.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    TRANSFER SLIP00020212405_pdf.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    RFQ-284683839.001.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    Dane bankowe.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    33aee36c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    Dane bankowe.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_ 21072021.exe.log
                                                    Process:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1314
                                                    Entropy (8bit):5.350128552078965
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.450390704563295
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    File name:RFQ_ 21072021.exe
                                                    File size:934400
                                                    MD5:0a74cbd4246a6e11077876c572a3d507
                                                    SHA1:0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
                                                    SHA256:4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
                                                    SHA512:b04188c94acf13c205697681f273f370bb259ac782735b25854e412e7290a32214c00a2b0e5bf9e0d49888df2c6cc0a487ee88c320d9b440c0205b48895d1d59
                                                    SSDEEP:12288:YSIt+/xerrmsnUsFIYHqCZnjKFBce/9ghkR6jDzjSbfeXnhLPu2syaUVKnpa:YZD/7nZ7H9njKFBcli67O6XhLjzahpa
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y..`.................X...........w... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:1749c81a994c2d93

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4c771e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x60F91259 [Thu Jul 22 06:38:17 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc76d00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x1e06c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xc57240xc5800False0.777621884889data7.56840197347IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .sdata0xc80000x180x200False0.060546875data0.456640975135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xca0000x1e06c0x1e200False0.304201244813data5.12107540034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xea0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0xca2200x468GLS_BINARY_LSB_FIRST
                                                    RT_ICON0xca6880x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 86452005, next used block 10132114
                                                    RT_ICON0xcb7300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 54805568, next used block 21251136
                                                    RT_ICON0xcdcd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 54805568, next used block 4473920
                                                    RT_ICON0xd1f000x10828data
                                                    RT_ICON0xe27280x539bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                    RT_GROUP_ICON0xe7ac40x5adata
                                                    RT_VERSION0xe7b200x35edata
                                                    RT_MANIFEST0xe7e800x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyright(c) 2019 Riot Games, Inc.
                                                    Assembly Version2.0.26.9
                                                    InternalNameValueFix.exe
                                                    FileVersion2.0.26.9
                                                    CompanyNameRiot Games, Inc.
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameRiot Client
                                                    ProductVersion2.0.26.9
                                                    FileDescriptionRiot Client
                                                    OriginalFilenameValueFix.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 22, 2021 12:02:55.453504086 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.537091017 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.537626028 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.718158007 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.720782995 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.804296017 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.804797888 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.890711069 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.931384087 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.971260071 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.064718008 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.064744949 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.064758062 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.064785957 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.065032005 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.065334082 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.078958035 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.166285038 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.212625027 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.436260939 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.520169973 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.522408962 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.606291056 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.607594967 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.696959972 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.698246956 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.782324076 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.782718897 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.878906012 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.879219055 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.962773085 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.963463068 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.963514090 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.964054108 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.964066029 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:57.047020912 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.047041893 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.047396898 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.047414064 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.055247068 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.103302002 CEST49739587192.168.2.3188.93.227.195

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 22, 2021 12:00:44.322632074 CEST5128153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:44.372987986 CEST53512818.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:45.745069981 CEST4919953192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:45.800614119 CEST53491998.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:46.541826010 CEST5062053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:46.600564003 CEST53506208.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:47.140366077 CEST6493853192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:47.192239046 CEST53649388.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:48.457087040 CEST6015253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:48.509176970 CEST53601528.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:50.201914072 CEST5754453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:50.258915901 CEST53575448.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:51.661979914 CEST5598453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:51.713931084 CEST53559848.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:52.988853931 CEST6418553192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:53.048674107 CEST53641858.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:54.162817001 CEST6511053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:54.212244034 CEST53651108.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:55.065648079 CEST5836153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:55.117610931 CEST53583618.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:56.260020018 CEST6349253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:56.317395926 CEST53634928.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:57.389389038 CEST6083153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:57.438536882 CEST53608318.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:58.734705925 CEST6010053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:58.791606903 CEST53601008.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:00.174190998 CEST5319553192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:00.231174946 CEST53531958.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:01.350590944 CEST5014153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:01.402122974 CEST53501418.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:02.121391058 CEST5302353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:02.175849915 CEST53530238.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:02.975672960 CEST4956353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:03.035983086 CEST53495638.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:04.914079905 CEST5135253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:04.966110945 CEST53513528.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:06.055859089 CEST5934953192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:06.108244896 CEST53593498.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:07.196876049 CEST5708453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:07.249084949 CEST53570848.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:20.181071043 CEST5882353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:20.249563932 CEST53588238.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:21.557835102 CEST5756853192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:21.674859047 CEST53575688.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:35.917995930 CEST5054053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:35.986428976 CEST53505408.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:39.335983038 CEST5436653192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:39.393368959 CEST53543668.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:54.240178108 CEST5303453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:54.298537016 CEST53530348.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:57.508630991 CEST5776253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:57.568834066 CEST53577628.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:28.774041891 CEST5543553192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:28.851541996 CEST53554358.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:32.230384111 CEST5071353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:32.289351940 CEST53507138.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:55.214694023 CEST5613253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:55.289421082 CEST53561328.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:55.304380894 CEST5898753192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:55.362222910 CEST53589878.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jul 22, 2021 12:02:55.214694023 CEST192.168.2.38.8.8.80x9451Standard query (0)mail.tccinfaes.comA (IP address)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.304380894 CEST192.168.2.38.8.8.80x348cStandard query (0)mail.tccinfaes.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jul 22, 2021 12:02:55.289421082 CEST8.8.8.8192.168.2.30x9451No error (0)mail.tccinfaes.comtccinfaes.comCNAME (Canonical name)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.289421082 CEST8.8.8.8192.168.2.30x9451No error (0)tccinfaes.com188.93.227.195A (IP address)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.362222910 CEST8.8.8.8192.168.2.30x348cNo error (0)mail.tccinfaes.comtccinfaes.comCNAME (Canonical name)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.362222910 CEST8.8.8.8192.168.2.30x348cNo error (0)tccinfaes.com188.93.227.195A (IP address)IN (0x0001)

                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Jul 22, 2021 12:02:55.718158007 CEST58749739188.93.227.195192.168.2.3220-iberweb-11a.ibername.com ESMTP Exim 4.94.2 #2 Thu, 22 Jul 2021 11:02:54 +0100
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Jul 22, 2021 12:02:55.720782995 CEST49739587192.168.2.3188.93.227.195EHLO 936905
                                                    Jul 22, 2021 12:02:55.804296017 CEST58749739188.93.227.195192.168.2.3250-iberweb-11a.ibername.com Hello 936905 [84.17.52.8]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPE_CONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Jul 22, 2021 12:02:55.804797888 CEST49739587192.168.2.3188.93.227.195STARTTLS
                                                    Jul 22, 2021 12:02:55.890711069 CEST58749739188.93.227.195192.168.2.3220 TLS go ahead

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: RFQ_ 21072021.exe PID: 4792 Parent PID: 5668

                                                    General

                                                    Start time:12:00:50
                                                    Start date:22/07/2021
                                                    Path:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\RFQ_ 21072021.exe'
                                                    Imagebase:0x510000
                                                    File size:934400 bytes
                                                    MD5 hash:0A74CBD4246A6E11077876C572A3D507
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: RFQ_ 21072021.exe PID: 2408 Parent PID: 4792

                                                    General

                                                    Start time:12:01:15
                                                    Start date:22/07/2021
                                                    Path:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    Imagebase:0xd90000
                                                    File size:934400 bytes
                                                    MD5 hash:0A74CBD4246A6E11077876C572A3D507
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: RFQ_ 21072021.exe PID: 2408 Parent PID: 4792 RFQ_ 21072021.exeCOMMON

                                                      Execution Graph

                                                      Execution Coverage:10.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:61
                                                      Total number of Limit Nodes:8

                                                      Graph

                                                      execution_graph 27618 15a6e3a 27619 15a6dcb DuplicateHandle 27618->27619 27622 15a6e42 27618->27622 27621 15a6e0e 27619->27621 27599 15a5348 27600 15a536e 27599->27600 27603 15a3ca4 27600->27603 27604 15a3caf 27603->27604 27605 15a79e9 27604->27605 27607 15a79d9 27604->27607 27608 15a79e7 27605->27608 27614 15a6964 27605->27614 27610 15a7b10 27607->27610 27612 15a7b1e 27610->27612 27611 15a6964 CallWindowProcW 27611->27612 27612->27611 27613 15a7c07 27612->27613 27613->27608 27615 15a696f 27614->27615 27616 15a7cd2 CallWindowProcW 27615->27616 27617 15a7c81 27615->27617 27616->27617 27617->27608 27557 15a6b50 GetCurrentProcess 27558 15a6bca GetCurrentThread 27557->27558 27559 15a6bc3 27557->27559 27560 15a6c00 27558->27560 27561 15a6c07 GetCurrentProcess 27558->27561 27559->27558 27560->27561 27562 15a6c3d 27561->27562 27563 15a6c65 GetCurrentThreadId 27562->27563 27564 15a6c96 27563->27564 27565 15a5190 27566 15a51f8 CreateWindowExW 27565->27566 27568 15a52b4 27566->27568 27569 15ab6d1 27570 15ab672 27569->27570 27571 15ab6d9 27569->27571 27570->27571 27574 15ab8ba 27570->27574 27572 15ab68d 27575 15ab8c3 27574->27575 27578 15ab98f 27574->27578 27582 15ab9a0 27574->27582 27575->27572 27579 15ab994 27578->27579 27580 15abadb 27579->27580 27586 15abd97 27579->27586 27583 15ab9a1 27582->27583 27584 15abadb 27583->27584 27585 15abd97 RtlEncodePointer 27583->27585 27585->27584 27587 15abd9c 27586->27587 27590 15abdf8 27587->27590 27588 15abdc6 27588->27580 27591 15abe32 27590->27591 27592 15abe5c RtlEncodePointer 27591->27592 27593 15abe85 27591->27593 27592->27593 27593->27588 27594 14fb840 27595 14fb874 27594->27595 27596 14fb851 27594->27596 27595->27596 27597 14fb8e5 LdrInitializeThunk 27595->27597 27598 14fb902 27597->27598 27623 14f11b0 27624 14f11c1 27623->27624 27626 14f1188 27623->27626 27625 14f1211 27626->27623 27626->27625 27627 14f12d7 LdrInitializeThunk 27626->27627 27628 14f12f3 27627->27628

                                                      Executed Functions

                                                      Function 014FC898, Relevance: 6.4, Strings: 4, Instructions: 1354COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \$\$\$\
                                                      • API String ID: 0-3238275731
                                                      • Opcode ID: 4ea40d21f056084b2b45322bda34deb32888c8701233454ec3dfaa3e72fbc712
                                                      • Instruction ID: f8ebd72e48759fe29d59c7025fd18a0acf4fede5d63ebb489e845da9d4918995
                                                      • Opcode Fuzzy Hash: 4ea40d21f056084b2b45322bda34deb32888c8701233454ec3dfaa3e72fbc712
                                                      • Instruction Fuzzy Hash: F0B27D70F002198FDB24DFB8C8547AEB6F2AF89704F14846EE609AB394DF759C858B51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F11B0, Relevance: 1.8, APIs: 1, Instructions: 262libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 458 14f11b0-14f11bf 459 14f11e4-14f11fc 458->459 460 14f11c1-14f11cb 458->460 464 14f11fe-14f120f 459->464 465 14f1188-14f118e 459->465 461 14f11cd-14f11de 460->461 462 14f11e0-14f11e3 460->462 461->462 467 14f1234-14f125f 464->467 468 14f1211-14f121b 464->468 465->458 474 14f1284-14f12ce 467->474 475 14f1261-14f126b 467->475 469 14f121d-14f122e 468->469 470 14f1230-14f1233 468->470 469->470 482 14f12d7-14f12ec LdrInitializeThunk 474->482 476 14f126d-14f127e 475->476 477 14f1280-14f1283 475->477 476->477 483 14f12f3-14f12ff 482->483 484 14f1305-14f130e 483->484 485 14f1501-14f1514 483->485 486 14f1536 484->486 487 14f1314-14f1329 484->487 488 14f153b-14f153f 485->488 486->488 493 14f132b-14f133e 487->493 494 14f1343-14f135e 487->494 489 14f154a 488->489 490 14f1541 488->490 492 14f154b 489->492 490->489 492->492 495 14f14d5-14f14d9 493->495 501 14f136c 494->501 502 14f1360-14f136a 494->502 496 14f14db 495->496 497 14f14e4 495->497 496->497 497->485 503 14f1371-14f1373 501->503 502->503 504 14f138d-14f1427 503->504 505 14f1375-14f1388 503->505 523 14f1429-14f1433 504->523 524 14f1435 504->524 505->495 525 14f143a-14f143c 523->525 524->525 526 14f147f-14f14d3 525->526 527 14f143e-14f1440 525->527 526->495 528 14f144e 527->528 529 14f1442-14f144c 527->529 530 14f1453-14f1455 528->530 529->530 530->526 532 14f1457-14f147d 530->532 532->526
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: bcdfbda2583d259f18e80d360099254500223c01840f1278818e4468181d6f43
                                                      • Instruction ID: 00f75627a5edbe74b07c12dbb3feb8ca290244eca61c10e76114103ba33fb71b
                                                      • Opcode Fuzzy Hash: bcdfbda2583d259f18e80d360099254500223c01840f1278818e4468181d6f43
                                                      • Instruction Fuzzy Hash: FCA19E34A0430ADFDB15ABB9D4587AEBBF2AF84704F14842AE506DB7A1DB38DC05CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F8690, Relevance: 1.8, Instructions: 1762COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67fb7a29611199b311cb8e3d13065c99c333c7d67d058b98c7e8510fef19cba8
                                                      • Instruction ID: f13e30322173a825d89988f8066aa72d9d2b4eb6f920ccfdc1a37bd0110953c5
                                                      • Opcode Fuzzy Hash: 67fb7a29611199b311cb8e3d13065c99c333c7d67d058b98c7e8510fef19cba8
                                                      • Instruction Fuzzy Hash: C9C2CE30B056058FDB519E6CC8647AE77A2EFC5318F15892EE189DFB64EF369C818B40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F55E0, Relevance: 1.2, Instructions: 1237COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1677 14f55e0-14f5617 1680 14f561d-14f56be call 14f4a60 1677->1680 1681 14f58f2-14f5900 1677->1681 1700 14f58ed 1680->1700 1763 14f56c4-14f5729 1680->1763 1684 14f589e-14f58c2 1681->1684 1685 14f5902-14f593c 1681->1685 1695 14f58cd 1684->1695 1696 14f58c4 1684->1696 1690 14f593e-14f5945 1685->1690 1691 14f5957-14f595f 1685->1691 1693 14f594e-14f5955 1690->1693 1694 14f5947-14f594c 1690->1694 1698 14f5962-14f5976 1691->1698 1693->1698 1694->1698 1695->1700 1696->1695 1703 14f598c-14f5994 1698->1703 1704 14f5978-14f597f 1698->1704 1700->1681 1708 14f5996-14f599a 1703->1708 1705 14f5985-14f598a 1704->1705 1706 14f5981-14f5983 1704->1706 1705->1708 1706->1708 1711 14f599c-14f59b1 1708->1711 1712 14f59fa-14f59fd 1708->1712 1711->1712 1722 14f59b3-14f59b6 1711->1722 1714 14f59ff-14f5a14 1712->1714 1715 14f5a45-14f5a4b 1712->1715 1714->1715 1727 14f5a16-14f5a1a 1714->1727 1717 14f654e 1715->1717 1718 14f5a51-14f5a53 1715->1718 1723 14f6553-14f6b43 1717->1723 1718->1717 1720 14f5a59-14f5a5e 1718->1720 1725 14f64fc-14f6500 1720->1725 1726 14f5a64 1720->1726 1728 14f59b8-14f59ba 1722->1728 1729 14f59d5-14f59f3 1722->1729 1746 14f6b44-14f6b45 1723->1746 1730 14f6507-14f654d 1725->1730 1731 14f6502-14f6505 1725->1731 1726->1725 1732 14f5a1c-14f5a20 1727->1732 1733 14f5a22-14f5a40 1727->1733 1728->1729 1734 14f59bc-14f59bf 1728->1734 1729->1712 1731->1723 1731->1730 1732->1715 1732->1733 1733->1715 1734->1712 1735 14f59c1-14f59d3 1734->1735 1735->1712 1735->1729 1748 14f6b47-14f6b49 1746->1748 1749 14f6b96-14f6b9b 1746->1749 1752 14f6b4b 1748->1752 1753 14f6b55-14f6b58 1748->1753 1762 14f6b9c-14f6ba0 1749->1762 1755 14f6b4d-14f6b53 1752->1755 1756 14f6b64-14f6b74 1752->1756 1753->1756 1757 14f6b5a 1753->1757 1755->1753 1755->1756 1768 14f6b92-14f6b95 1756->1768 1760 14f6b5c-14f6b62 1757->1760 1761 14f6b76-14f6b82 1757->1761 1760->1756 1760->1761 1773 14f6b8a-14f6b8d 1761->1773 1774 14f6b84-14f6b86 1761->1774 1762->1746 1765 14f6ba2-14f6bbf 1762->1765 1763->1681 1786 14f572f-14f5737 1763->1786 1769 14f6be4-14f6bf8 1765->1769 1770 14f6bc1-14f6bcb 1765->1770 1769->1762 1779 14f6bfa 1769->1779 1771 14f6bcd-14f6bde 1770->1771 1772 14f6be0-14f6be3 1770->1772 1771->1772 1773->1749 1778 14f6b8f 1773->1778 1774->1749 1777 14f6b88 1774->1777 1777->1778 1778->1768 1786->1681 1787 14f573d-14f5758 1786->1787 1789 14f575a-14f575e 1787->1789 1790 14f5792-14f579b 1787->1790 1789->1681 1791 14f5764-14f578f 1789->1791 1790->1700 1792 14f57a1-14f57a4 1790->1792 1791->1790 1792->1681 1793 14f57aa-14f5807 1792->1793 1805 14f585e 1793->1805 1806 14f5809-14f5818 1793->1806 1807 14f5863-14f5867 1805->1807 1817 14f581a call 15a9fc0 1806->1817 1818 14f581a call 15aa051 1806->1818 1808 14f5869 1807->1808 1809 14f5872-14f5873 1807->1809 1808->1809 1809->1684 1810 14f581f-14f5827 1811 14f583c-14f585c 1810->1811 1812 14f5829-14f5830 1810->1812 1811->1807 1812->1805 1813 14f5832-14f583a 1812->1813 1813->1811 1817->1810 1818->1810
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adde039a017b76993674ba7b5728463da92a1d84a8450b03ad6c1df2655d0355
                                                      • Instruction ID: dd5bea74fcc04530ff79d2261b83fce443a67b3921fab9208e5207c370274d12
                                                      • Opcode Fuzzy Hash: adde039a017b76993674ba7b5728463da92a1d84a8450b03ad6c1df2655d0355
                                                      • Instruction Fuzzy Hash: 3E724D31B0CB058BC7649A5DB86539D76A1EFC1238F064FEF85884EB19E6325DD18BC2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F2B98, Relevance: .7, Instructions: 668COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f7c8506c0fd31ffc7bd528e29658b31489e1eae07002532b115d4304e12c7925
                                                      • Instruction ID: 27fa4605586ee4839abca0251586d450f9f7549aab63ff233c64a98edbf6c5e2
                                                      • Opcode Fuzzy Hash: f7c8506c0fd31ffc7bd528e29658b31489e1eae07002532b115d4304e12c7925
                                                      • Instruction Fuzzy Hash: C9429370A002498FEB25DFA8C4547AEB7B2AF85304F24C4AED5199F396CB74DC85CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F2B84, Relevance: .6, Instructions: 617COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f97ba8a2c2fb40584fed06a907c2dfc845741566bfa7c60141b369a76e9dd8cb
                                                      • Instruction ID: af322127cbf31587ca3790b282d702857f8e04e523f7ac841499288577a93bfa
                                                      • Opcode Fuzzy Hash: f97ba8a2c2fb40584fed06a907c2dfc845741566bfa7c60141b369a76e9dd8cb
                                                      • Instruction Fuzzy Hash: 66328070E002488FEB25DFA8C4547AEB7B2AF85304F24856ED5199F396CB74DC85CB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A47A0, Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7c3b71216fc33cfe221bf023d2264924c9535b73ddef16ed72c9a710665f4156
                                                      • Instruction ID: ee8c31ffb3f1c1f90918ec5fba451af410ec5f811ae59c42251012dc2a49b8c0
                                                      • Opcode Fuzzy Hash: 7c3b71216fc33cfe221bf023d2264924c9535b73ddef16ed72c9a710665f4156
                                                      • Instruction Fuzzy Hash: DF12D5F06027459BD710EF69E8481C93BB1F745B28F504318EAA12B2D9F7BD119ACF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A3E4A, Relevance: .3, Instructions: 313COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28574c0e73f868ad2406603be6589072bd7d19561578620ce1ed81ce5feb3f34
                                                      • Instruction ID: 5f5f8e370ea2bdf7c1414fbc3b579eaf93aeca70867b7b7c19bd6df2d0d98a3b
                                                      • Opcode Fuzzy Hash: 28574c0e73f868ad2406603be6589072bd7d19561578620ce1ed81ce5feb3f34
                                                      • Instruction Fuzzy Hash: FBC19D74A007068FCB04EFB9C49069EBBF5FF89214B54896EC50ADB751DB78E805CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A4790, Relevance: .2, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2b58a76c559eced1cee86a1299d03ab5abc3483324f1ab2e3ca3d31dad33692
                                                      • Instruction ID: be4fd6e5e1ed3ed632fc5a50c2297f9aa4886e19f495ba2c68f63ccf890e3139
                                                      • Opcode Fuzzy Hash: f2b58a76c559eced1cee86a1299d03ab5abc3483324f1ab2e3ca3d31dad33692
                                                      • Instruction Fuzzy Hash: BEC16FB0A027458FD710EF69E8481C93BB1FB85B24F544319E5A12B2D9F7BD148ACF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A4752, Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26eb6414c656e6bc0b41e1d8564c673e920f922d81c82e12a9908487ffe433fc
                                                      • Instruction ID: e6ee4cdc911b0b7b3972e473b5773a549158063d18d7c53fdd92d97704e44a34
                                                      • Opcode Fuzzy Hash: 26eb6414c656e6bc0b41e1d8564c673e920f922d81c82e12a9908487ffe433fc
                                                      • Instruction Fuzzy Hash: 04C16FB0A027458FD711EF68E8481C93BB1FB85B24F544319E5A12B2D9F7BD148ACF68
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A6B1F, Relevance: 6.1, APIs: 4, Instructions: 141threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 418 15a6b1f-15a6bc1 GetCurrentProcess 421 15a6bca-15a6bfe GetCurrentThread 418->421 422 15a6bc3-15a6bc9 418->422 423 15a6c00-15a6c06 421->423 424 15a6c07-15a6c3b GetCurrentProcess 421->424 422->421 423->424 426 15a6c3d-15a6c43 424->426 427 15a6c44-15a6c5f call 15a6d00 424->427 426->427 430 15a6c65-15a6c94 GetCurrentThreadId 427->430 431 15a6c9d-15a6cff 430->431 432 15a6c96-15a6c9c 430->432 432->431
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 015A6BB0
                                                      • GetCurrentThread.KERNEL32 ref: 015A6BED
                                                      • GetCurrentProcess.KERNEL32 ref: 015A6C2A
                                                      • GetCurrentThreadId.KERNEL32 ref: 015A6C83
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 5a07812fe853f9ce5f77822a4890e07bae09234743cc5efcd5db2efd9f8ab672
                                                      • Instruction ID: f244bcc2881054d9a0d1c152c6e98fb14869779afff990efa0197bcdc66a9e56
                                                      • Opcode Fuzzy Hash: 5a07812fe853f9ce5f77822a4890e07bae09234743cc5efcd5db2efd9f8ab672
                                                      • Instruction Fuzzy Hash: D75167B0A043488FDB14CFA9C548B9EBFF0FF49314F14849AE159AB361DB389844CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 439 15a6b50-15a6bc1 GetCurrentProcess 440 15a6bca-15a6bfe GetCurrentThread 439->440 441 15a6bc3-15a6bc9 439->441 442 15a6c00-15a6c06 440->442 443 15a6c07-15a6c3b GetCurrentProcess 440->443 441->440 442->443 445 15a6c3d-15a6c43 443->445 446 15a6c44-15a6c5f call 15a6d00 443->446 445->446 449 15a6c65-15a6c94 GetCurrentThreadId 446->449 450 15a6c9d-15a6cff 449->450 451 15a6c96-15a6c9c 449->451 451->450
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 015A6BB0
                                                      • GetCurrentThread.KERNEL32 ref: 015A6BED
                                                      • GetCurrentProcess.KERNEL32 ref: 015A6C2A
                                                      • GetCurrentThreadId.KERNEL32 ref: 015A6C83
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 2aa14010bf9de6bce433a0c5adf68f9bc29ba30d0c6b5209e7aa074518745488
                                                      • Instruction ID: a2367f93116f8ce71fa39129280835144a59892376204c20c01f8f1473234f00
                                                      • Opcode Fuzzy Hash: 2aa14010bf9de6bce433a0c5adf68f9bc29ba30d0c6b5209e7aa074518745488
                                                      • Instruction Fuzzy Hash: F85144B0A006499FDB54CFAAC688BEEBBF0FF48314F248459E119A7350DB346984CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014FB840, Relevance: 1.7, APIs: 1, Instructions: 176libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 911 14fb840-14fb84f 912 14fb874-14fb888 911->912 913 14fb851-14fb85b 911->913 916 14fb861-14fb86e 912->916 920 14fb88a-14fb8fc LdrInitializeThunk 912->920 914 14fb85d-14fb85f 913->914 915 14fb870-14fb873 913->915 914->916 916->915 928 14fba45-14fba62 920->928 929 14fb902-14fb91c 920->929 941 14fba67-14fba70 928->941 929->928 932 14fb922-14fb93c 929->932 935 14fb93e-14fb940 932->935 936 14fb942 932->936 938 14fb945-14fb9a0 935->938 936->938 947 14fb9a6 938->947 948 14fb9a2-14fb9a4 938->948 949 14fb9a9-14fba43 947->949 948->949 949->941
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 44c8ac3b1154f2efe206d7f21ffc86875a455a87573b2672ff4b8341ce60b5b8
                                                      • Instruction ID: 2ec066797fc79f7d688374be9145a54ea6b4082beb4d745962265eb62c3e66c3
                                                      • Opcode Fuzzy Hash: 44c8ac3b1154f2efe206d7f21ffc86875a455a87573b2672ff4b8341ce60b5b8
                                                      • Instruction Fuzzy Hash: 8151B671B002059FCB04ABB5D858AAEB7F6FF89304F14856AE506DB3A5EF34DC058761
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014FB830, Relevance: 1.7, APIs: 1, Instructions: 164libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 966 14fb830-14fb83d 967 14fb83f-14fb84f 966->967 968 14fb882-14fb888 966->968 969 14fb874-14fb880 967->969 970 14fb851-14fb85b 967->970 971 14fb88a-14fb8c9 968->971 972 14fb861-14fb86e 968->972 969->968 973 14fb85d-14fb85f 970->973 974 14fb870-14fb873 970->974 981 14fb8d1-14fb8d7 971->981 972->974 973->972 982 14fb8de 981->982 983 14fb8e5-14fb8fc LdrInitializeThunk 982->983 984 14fba45-14fba62 983->984 985 14fb902-14fb91c 983->985 997 14fba67-14fba70 984->997 985->984 988 14fb922-14fb93c 985->988 991 14fb93e-14fb940 988->991 992 14fb942 988->992 994 14fb945-14fb9a0 991->994 992->994 1003 14fb9a6 994->1003 1004 14fb9a2-14fb9a4 994->1004 1005 14fb9a9-14fba43 1003->1005 1004->1005 1005->997
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9f892e350f3bb036033eab6f50b25f8956474a79fd8c59a304e2e10cca63da91
                                                      • Instruction ID: c71870b5c4edfb81d7e0ec8f0b53029615983b79ee1b14f9e2b7a28cc0e3357d
                                                      • Opcode Fuzzy Hash: 9f892e350f3bb036033eab6f50b25f8956474a79fd8c59a304e2e10cca63da91
                                                      • Instruction Fuzzy Hash: 7C519071B002059FCB04AFB4D858AAEB7F6FF89304F10856AE5169B3A5EF74DC058B61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A5184, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1022 15a5184-15a51f6 1023 15a51f8-15a51fe 1022->1023 1024 15a5201-15a5208 1022->1024 1023->1024 1025 15a520a-15a5210 1024->1025 1026 15a5213-15a524b 1024->1026 1025->1026 1027 15a5253-15a52b2 CreateWindowExW 1026->1027 1028 15a52bb-15a52f3 1027->1028 1029 15a52b4-15a52ba 1027->1029 1033 15a5300 1028->1033 1034 15a52f5-15a52f8 1028->1034 1029->1028 1035 15a5301 1033->1035 1034->1033 1035->1035
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015A52A2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: aad921f4567de37ea44201df357e3fbeea44e2b43ab499858eedf048287de172
                                                      • Instruction ID: bea0156c98eed746e87f5acc1bd41256081b94fabb4a281c0d4969b6eb600b06
                                                      • Opcode Fuzzy Hash: aad921f4567de37ea44201df357e3fbeea44e2b43ab499858eedf048287de172
                                                      • Instruction Fuzzy Hash: D751AEB1D103499FDB14CF99D884ADEBFB5FF88314F64852AE819AB210D774A885CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1036 15a5190-15a51f6 1037 15a51f8-15a51fe 1036->1037 1038 15a5201-15a5208 1036->1038 1037->1038 1039 15a520a-15a5210 1038->1039 1040 15a5213-15a52b2 CreateWindowExW 1038->1040 1039->1040 1042 15a52bb-15a52f3 1040->1042 1043 15a52b4-15a52ba 1040->1043 1047 15a5300 1042->1047 1048 15a52f5-15a52f8 1042->1048 1043->1042 1049 15a5301 1047->1049 1048->1047 1049->1049
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015A52A2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 69634b71770b49f0ae5a83250e92407860147c4afef0849a5dab4a165c29c36a
                                                      • Instruction ID: e9527f28c12177dc740cb7f65975a2a1e5266175b630dea5cd66d147512f9cc2
                                                      • Opcode Fuzzy Hash: 69634b71770b49f0ae5a83250e92407860147c4afef0849a5dab4a165c29c36a
                                                      • Instruction Fuzzy Hash: BD41AEB1D10309AFDB14CF99C884ADEBFB5FF48314F64852AE919AB210D774A885CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A6E3A, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1050 15a6e3a-15a6e40 1051 15a6dcb-15a6e0c DuplicateHandle 1050->1051 1052 15a6e42-15a6e53 1050->1052 1055 15a6e0e-15a6e14 1051->1055 1056 15a6e15-15a6e32 1051->1056 1054 15a6e5e-15a6f66 1052->1054 1055->1056
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015A6DFF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 5171555b6757d341dc0d1f360c7a02f779b780568e07b2d7e3b71479c1589d91
                                                      • Instruction ID: c359a8aa263aa8e40ceb4d7f9e24e60e52ecc07ae727597433084236f87d98f4
                                                      • Opcode Fuzzy Hash: 5171555b6757d341dc0d1f360c7a02f779b780568e07b2d7e3b71479c1589d91
                                                      • Instruction Fuzzy Hash: 86415EB8B40288DFE701DFA5E699AA97BE5FB49314F108069E9019B784DB794841CF22
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1069 15a6964-15a7c74 1072 15a7c7a-15a7c7f 1069->1072 1073 15a7d24-15a7d44 call 15a3ca4 1069->1073 1074 15a7cd2-15a7d0a CallWindowProcW 1072->1074 1075 15a7c81-15a7cb8 1072->1075 1080 15a7d47-15a7d54 1073->1080 1078 15a7d0c-15a7d12 1074->1078 1079 15a7d13-15a7d22 1074->1079 1082 15a7cba-15a7cc0 1075->1082 1083 15a7cc1-15a7cd0 1075->1083 1078->1079 1079->1080 1082->1083 1083->1080
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 015A7CF9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 5c677cb78b5aa6aa201665b523795be23c298c54301f8d97ee17f1b0ecbf2cca
                                                      • Instruction ID: 1f6295fe4f0a5e1b89c838767a0a5bc0733e5d4017a6e0aa8935b39cf5a92e3e
                                                      • Opcode Fuzzy Hash: 5c677cb78b5aa6aa201665b523795be23c298c54301f8d97ee17f1b0ecbf2cca
                                                      • Instruction Fuzzy Hash: AB4118B5A00209DFDB14CF99C488BAEBBF5FF88314F148859E519AB321D735A941CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1092 15a6d78-15a6dcc 1093 15a6dcf-15a6e0c DuplicateHandle 1092->1093 1094 15a6e0e-15a6e14 1093->1094 1095 15a6e15-15a6e32 1093->1095 1094->1095
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015A6DFF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 69ba1ae9ca93aa7b03f27ba0bcce1600d44a3581a72ef013c14feb36cec1a2d0
                                                      • Instruction ID: 958339d2795083914e243ae582449485848d58d7b0771fca967b4f0b35ea15fd
                                                      • Opcode Fuzzy Hash: 69ba1ae9ca93aa7b03f27ba0bcce1600d44a3581a72ef013c14feb36cec1a2d0
                                                      • Instruction Fuzzy Hash: BB21D5B5D00208AFDB10CF9AD584ADEBBF4FB48324F14841AE914A7310D774A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015A6D72, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1086 15a6d72-15a6dcc 1087 15a6dcf-15a6e0c DuplicateHandle 1086->1087 1088 15a6e0e-15a6e14 1087->1088 1089 15a6e15-15a6e32 1087->1089 1088->1089
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015A6DFF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 9f79e05624c7450ac78b50e17ee27581863eaa66bfef478c18cb781457329ecf
                                                      • Instruction ID: a2d3082edcc3090d7b29523c0a3f3c935a1ed7b88715a33144efabcd2f7aa959
                                                      • Opcode Fuzzy Hash: 9f79e05624c7450ac78b50e17ee27581863eaa66bfef478c18cb781457329ecf
                                                      • Instruction Fuzzy Hash: 4421C2B5D00208AFDB10CFA9D584AEEBBF4FF48324F14841AE914A7311D378AA54CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015ABDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1098 15abdf8-15abe3a call 15abec0 1101 15abe3c-15abe3e 1098->1101 1102 15abe40 1098->1102 1103 15abe45-15abe50 1101->1103 1102->1103 1104 15abe52-15abe83 RtlEncodePointer 1103->1104 1105 15abeb1-15abebe 1103->1105 1107 15abe8c-15abeac 1104->1107 1108 15abe85-15abe8b 1104->1108 1107->1105 1108->1107
                                                      APIs
                                                      • RtlEncodePointer.NTDLL(00000000), ref: 015ABE72
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID: EncodePointer
                                                      • String ID:
                                                      • API String ID: 2118026453-0
                                                      • Opcode ID: ca41f46ccd0b1b8a94720df9b74fcc48a63c207ffa9741e36a77271fade73874
                                                      • Instruction ID: c74b44f3141061cf3fd8aa7a890a92884860a17a52a92f62f17dbec3ebd73763
                                                      • Opcode Fuzzy Hash: ca41f46ccd0b1b8a94720df9b74fcc48a63c207ffa9741e36a77271fade73874
                                                      • Instruction Fuzzy Hash: 061181B19007098FDB50DFAAC54879EBFF4FB48324F508429D649A7701CB396944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 014F0B10, Relevance: .3, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470420033.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_14f0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39f363d9293cf94a67a5cb403ed5e567a31a41ab51fe6cf5725bade5aa194670
                                                      • Instruction ID: 55d48742bc76848ee4ad34209f94f9b636d71c03b2f82f60a92651839a429731
                                                      • Opcode Fuzzy Hash: 39f363d9293cf94a67a5cb403ed5e567a31a41ab51fe6cf5725bade5aa194670
                                                      • Instruction Fuzzy Hash: 7BA1AB70B003058BDB14AFB988597AE76F7AFC8614F148829F606EB3A5EF35DC058791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 015AD661, Relevance: .3, Instructions: 268COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.470553982.00000000015A0000.00000040.00000001.sdmp, Offset: 015A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_15a0000_RFQ_ 21072021.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9fd810a820074179e27db9ea7478ff76b5c6523ba4b52e908415c3fd2f44cca
                                                      • Instruction ID: 8b1f3bf1a3ab36a4c1e3e8725bb6275edddf1acd35397f45aecfbca4a2ebe349
                                                      • Opcode Fuzzy Hash: d9fd810a820074179e27db9ea7478ff76b5c6523ba4b52e908415c3fd2f44cca
                                                      • Instruction Fuzzy Hash: 6B91B478B042148FDB18EBB5A4552BE7AB7BFC9604F59882EE506DB788DF34CC018791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%