Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ_ 21072021.exe

Overview

General Information

Sample Name:RFQ_ 21072021.exe
Analysis ID:452459
MD5:0a74cbd4246a6e11077876c572a3d507
SHA1:0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
SHA256:4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • RFQ_ 21072021.exe (PID: 4792 cmdline: 'C:\Users\user\Desktop\RFQ_ 21072021.exe' MD5: 0A74CBD4246A6E11077876C572A3D507)
    • RFQ_ 21072021.exe (PID: 2408 cmdline: C:\Users\user\Desktop\RFQ_ 21072021.exe MD5: 0A74CBD4246A6E11077876C572A3D507)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RFQ_ 21072021.exe PID: 2408JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RFQ_ 21072021.exe PID: 2408JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RFQ_ 21072021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RFQ_ 21072021.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "webmaster@tccinfaes.com", "Password": "transportes", "Host": "mail.tccinfaes.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: RFQ_ 21072021.exeVirustotal: Detection: 30%Perma Link
                Source: RFQ_ 21072021.exeReversingLabs: Detection: 15%
                Machine Learning detection for sampleShow sources
                Source: RFQ_ 21072021.exeJoe Sandbox ML: detected
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: RFQ_ 21072021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RFQ_ 21072021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587
                Source: Joe Sandbox ViewIP Address: 188.93.227.195 188.93.227.195
                Source: Joe Sandbox ViewASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
                Source: global trafficTCP traffic: 192.168.2.3:49739 -> 188.93.227.195:587
                Source: unknownDNS traffic detected: queries for: mail.tccinfaes.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RFQ_ 21072021.exe, 00000005.00000002.473275358.00000000034E4000.00000004.00000001.sdmpString found in binary or memory: http://TryUj9XyxT6LakY.org
                Source: RFQ_ 21072021.exeString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://mail.tccinfaes.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://tccinfaes.com
                Source: RFQ_ 21072021.exeString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://xmALXm.com
                Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8EE18770u002dEECEu002d4ADFu002d9E9Eu002d074DF25730B2u007d/u00311D6105Cu002dDC1Du002d4AAAu002d8C1Bu002dC3E13237EBD4.csLarge array initialization: .cctor: array initializer size 11960
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014FC898
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F2B98
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F55E0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F8690
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F0B10
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F2B84
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A47A0
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A3E4A
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A4752
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015A4790
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_015AD661
                Source: RFQ_ 21072021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RFQ_ 21072021.exe, 00000000.00000000.200067110.00000000005DA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470604186.00000000015CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470440078.0000000001500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamegzwcjkfsADBjJOEQlRwAtFYMhaFmnBBLEezh.exe4 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000000.251584660.0000000000E5A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.468933088.0000000000FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.469162239.00000000012F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exeBinary or memory string: OriginalFilenameValueFix.exe8 vs RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RFQ_ 21072021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_ 21072021.exe.logJump to behavior
                Source: RFQ_ 21072021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: RFQ_ 21072021.exeVirustotal: Detection: 30%
                Source: RFQ_ 21072021.exeReversingLabs: Detection: 15%
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe 'C:\Users\user\Desktop\RFQ_ 21072021.exe'
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: RFQ_ 21072021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RFQ_ 21072021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014FADEB pushad ; retf
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56840197347
                Source: RFQ_ 21072021.exe, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: RFQ_ 21072021.exe, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: RFQ_ 21072021.exe, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: RFQ_ 21072021.exe, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: RFQ_ 21072021.exe, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: RFQ_ 21072021.exe, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: RFQ_ 21072021.exe, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: RFQ_ 21072021.exe, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: RFQ_ 21072021.exe, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: RFQ_ 21072021.exe, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: RFQ_ 21072021.exe, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: RFQ_ 21072021.exe, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: RFQ_ 21072021.exe, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: RFQ_ 21072021.exe, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: RFQ_ 21072021.exe, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: 0.0.RFQ_ 21072021.exe.510000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 5.2.RFQ_ 21072021.exe.d90000.1.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, vH5CTpL7PRrybq4BEx/DvSBiax85Mf9iXnJls.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'TUkhHwEoMQ', 'jexqB0sQvf', 'EAMq0Lgmng', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'DvQq9YiAtj'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, hFoyd9ZZlscN3Tfusf/bsYUZZyCX661EfBocS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'kZMhivpLIy', 'x1PKGpaia1', 'BJaKdSKsIu', 'cGEKnJLZ5S', 'zqEKR4RpPQ', 'RvgKyr1y5H', 'NfBKDsUM5S', 'lqVKBUFGHP'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, mnTCYWkpLjqq4LGHqX/kfr1mxPYEEI8CfmbyY.csHigh entropy of concatenated method names: 'RMtXalTxwL', 'jOaXRpwgJK', 'Q5aX2yhTm1', 'xTiXQQsa9W', 'B0IXY77Bln', 'CnDX8xXo6b', 'yyNXnjGTLw', 'c8vXTNTefY', 'kYTX4YC92l', 'SeYXSfOxoW'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, iXcXSY7pg6yVKma70g/jLGGdLl5HwEF2rsueU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'IBvOK1Pi9i', 'SKo7x85PYt', 'bku7L97UVm', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ', 'xrRqccSKZU', 'FB3JJ7eR0b'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, tTffFSW6kXuWfKvgpm/UOSweUjq7D3sPinCNu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'wsnOiC6GaD', 'hHGOMCIsTu', 'BJkONONCLV', 'KPQOu61RIR', 'HxMOnKvXh0', 'kgBqlLSUTV', 'obyq3hstbD', 'BMNqCWfTgZ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, w6i5Cem3b4xmaEE2yY/rUOALAfKg30nVuRCdr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH2gvI9wZD', 'o3YJ90YG3K', 'VQ1JzqnLgi', 'WwW71Ti0Ad', 'v1F7ZYu8Uf', 'dxP7NYx2jU', 'kyw7irjvf8', 'wM57hnS8DW'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, pRlxiNUbgypVuoP6Uh/B4JTi56RhtZikvpub4.csHigh entropy of concatenated method names: 's3PpInSb1e', 'bripoYOGY3', 'cONpZriHm4', 'p1Ipx2BLIJ', 'yuDpfSAUcP', 'rv9pmVEwn5', 'odXpjX6no1', 'zUhpW2PJTx', 'HEJp7SLcUP', 'm6Epc8HDNQ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, BOhciDTI7UxO4gCOYU/Ksq8yb8IncZbxUSfmK.csHigh entropy of concatenated method names: 'HZlDPscN3T', 'NusDkf5vSB', 'cnJDblsYH5', 'HTpD57PRry', 'fALD6AKg30', 'kVuDURCdrY', 'Fi5DCCe3b4', 'LmaD9EE2yY', 'a3sDoPinCN', 'jATDyffFS6'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, RfbfwGoi8RPSlkqfew/qGs0IBIGoXtVyYiA1b.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ehiKVxgOqk', 'LXqKXarBEi', 'BLMKWrRO8N', 'xuZKgi2kW4', 'bKKKjrFVis', 'sDiK8i9FmT', 'SDnKo9k9ij', 'EYEKf66OdJ'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, ucjN5K3ZYUO98lIfqb/ODOgBDHsK3y71CAxuQ.csHigh entropy of concatenated method names: 'FsAGkxXBtY', 'TQpG6mcP37', 'NwdGUDD57w', '.ctor', '.ctor', 'upuGtXdOLY', 'mDjGb9jM1G', 'eutG5DCn44', 'sqXGKZ9lIE', 'U4ObLnO8pNqZRXbmlDm'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kXrdsv5uiP4KNIMTbI/G3qiembJ0C8UrfLoZV.csHigh entropy of concatenated method names: 'bagpr2m3hV', 'iGapBfs8pV', 'h6Ipqu7YNW', 'TFJpJ0FEjI', 'krmpap9A66', 'lQ9pRAvFtZ', 'WfIpAOuqVa', 'TpNp2rG3xC', 'vCrpQI9Vta', 'GClpsf0sCk'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, gqpYcCwBrSrjvOKN6q/IQsis3cmuWgyYrWLIv.csHigh entropy of concatenated method names: '.ctor', 'YN9GDMDqbS', 'UwiGXgxhR5', 'gthGpXFG2c', 'ngcGhmkHlQ', 'HVCGgN1oxl', 'KhMGO58mrv', 'eg5aFLImrdSvdXjBWky', 'SO4kInIZEE6eEbTFr2r', 'jraHeDIreMNgnEaTC1n'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, kYTYC9Dp2lHvdL05CDn/hCHQaLDX5jt1yNjGTLw.csHigh entropy of concatenated method names: '.ctor', 'mDDGcb94xK', 'G8QGwwKryy', 'THMGvTWsr1', 'f5AG0KfJH7', 'z24GHSyjdO', 'BcvG3YDk2Q', 'bdPGdKrmpJ', 'HX3GeiDjeb', 'CTiGzf0MTM'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, qNHMG6DDHOYZZ5NjAIq/pdO1x8DEK7IDC09kUd6.csHigh entropy of concatenated method names: 'Dispose', 'JlJGLNYeE8', 'Q4nGfoJqPc', 'DXPGmUGTfi', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'xDZsj1OsUUcAGBnvxhH', 'BiQy5SOUvqUO3fyuhUy'
                Source: 5.0.RFQ_ 21072021.exe.d90000.0.unpack, LkgEbVzqnyfvD9F8H4/oEghyCe5Od9Uuo0voS.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'eliGylqiUR', 'VI27Op8v8m', 'ssN7QONSW9', 'R3lWrtO1QeoiU6PecH5', 'BnDSLGO713q4vgaRLQF', 'B9k7VDOxqLZy0YQN1hV', 'exF0vPON2GlJMfaSuqm', 'ovBBCAOvd0wREXMLZFH'
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWindow / User API: threadDelayed 968
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWindow / User API: threadDelayed 8887
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 4872Thread sleep time: -45897s >= -30000s
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 720Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 1492Thread sleep time: -17524406870024063s >= -30000s
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412Thread sleep count: 968 > 30
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exe TID: 3412Thread sleep count: 8887 > 30
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 45897
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeThread delayed: delay time: 922337203685477
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RFQ_ 21072021.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RFQ_ 21072021.exe, 00000005.00000002.470729166.000000000166F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA=q
                Source: RFQ_ 21072021.exe, 00000005.00000002.475880688.0000000006310000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeCode function: 5_2_014F11B0 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeMemory written: C:\Users\user\Desktop\RFQ_ 21072021.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeProcess created: C:\Users\user\Desktop\RFQ_ 21072021.exe C:\Users\user\Desktop\RFQ_ 21072021.exe
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RFQ_ 21072021.exe, 00000005.00000002.470935101.0000000001C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Users\user\Desktop\RFQ_ 21072021.exe VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Users\user\Desktop\RFQ_ 21072021.exe VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\RFQ_ 21072021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RFQ_ 21072021.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RFQ_ 21072021.exe PID: 2408, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery111Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RFQ_ 21072021.exe30%VirustotalBrowse
                RFQ_ 21072021.exe15%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                RFQ_ 21072021.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                5.2.RFQ_ 21072021.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                tccinfaes.com1%VirustotalBrowse
                mail.tccinfaes.com2%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://mail.tccinfaes.com2%VirustotalBrowse
                http://mail.tccinfaes.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://tccinfaes.com0%Avira URL Cloudsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://TryUj9XyxT6LakY.org0%Avira URL Cloudsafe
                http://xmALXm.com0%Avira URL Cloudsafe
                http://r3.i.lencr.org/0)0%URL Reputationsafe
                http://r3.i.lencr.org/0)0%URL Reputationsafe
                http://r3.i.lencr.org/0)0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tccinfaes.com
                188.93.227.195
                truetrueunknown
                mail.tccinfaes.com
                unknown
                unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://mail.tccinfaes.comRFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://127.0.0.1:HTTP/1.1RFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://DynDns.comDynDNSRFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://cps.letsencrypt.org0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://x1.c.lencr.org/0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://x1.i.lencr.org/0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://tccinfaes.comRFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://api.twitter.com/1/direct_messages.xml?since_id=RFQ_ 21072021.exefalse
                  high
                  http://r3.o.lencr.org0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://TryUj9XyxT6LakY.orgRFQ_ 21072021.exe, 00000005.00000002.473275358.00000000034E4000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://xmALXm.comRFQ_ 21072021.exe, 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://twitter.com/statuses/user_timeline.xml?screen_name=RFQ_ 21072021.exefalse
                    high
                    http://r3.i.lencr.org/0)RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRFQ_ 21072021.exe, 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://cps.root-x1.letsencrypt.org0RFQ_ 21072021.exe, 00000005.00000002.473574016.0000000003530000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    188.93.227.195
                    tccinfaes.comPortugal
                    8426CLARANET-ASClaraNETLTDGBtrue

                    General Information

                    Joe Sandbox Version:33.0.0 White Diamond
                    Analysis ID:452459
                    Start date:22.07.2021
                    Start time:12:00:04
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 7s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:RFQ_ 21072021.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                    EGA Information:
                    • Successful, ratio: 50%
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 40.88.32.150, 23.211.6.115, 52.147.198.201, 20.82.210.154, 23.211.4.86, 40.112.88.60, 93.184.221.240, 80.67.82.211, 80.67.82.235
                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:01:14API Interceptor663x Sleep call for process: RFQ_ 21072021.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    188.93.227.195NRPwo7uSCaLmXtV.exeGet hashmaliciousBrowse
                      zam#U00f3w 1536625_pdf.exeGet hashmaliciousBrowse
                        SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                          5evmU6c7Nx.exeGet hashmaliciousBrowse
                            Zam#U00f3wienie-017.2021.exeGet hashmaliciousBrowse
                              PO HDT01-07.xlsxGet hashmaliciousBrowse
                                184285013-044310-sanlccjavap0003-7069.exeGet hashmaliciousBrowse
                                  PO DOCS 30-06.xlsxGet hashmaliciousBrowse
                                    qiKDsbFyzQ.exeGet hashmaliciousBrowse
                                      PO DHS312445.xlsxGet hashmaliciousBrowse
                                        SecuriteInfo.com.W32.MSIL_Kryptik.DVA.genEldorado.15172.exeGet hashmaliciousBrowse
                                          TRANSFER SLIP00020212405_pdf.exeGet hashmaliciousBrowse
                                            RFQ-284683839.001.exeGet hashmaliciousBrowse
                                              Dane bankowe.exeGet hashmaliciousBrowse
                                                33aee36c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                  Dane bankowe.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CLARANET-ASClaraNETLTDGB5qpsqg7U0GGet hashmaliciousBrowse
                                                    • 185.77.75.98
                                                    8wzyljMmmnGet hashmaliciousBrowse
                                                    • 138.248.76.96
                                                    AT9n7Bk0yEGet hashmaliciousBrowse
                                                    • 195.8.76.231
                                                    0aC0TBcdxbGet hashmaliciousBrowse
                                                    • 195.170.117.46
                                                    NRPwo7uSCaLmXtV.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    zam#U00f3w 1536625_pdf.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    SHIPPING DOCUMENT.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    5evmU6c7Nx.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    Zam#U00f3wienie-017.2021.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    PO HDT01-07.xlsxGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    184285013-044310-sanlccjavap0003-7069.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    PO DOCS 30-06.xlsxGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    qiKDsbFyzQ.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    PO DHS312445.xlsxGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    SecuriteInfo.com.W32.MSIL_Kryptik.DVA.genEldorado.15172.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    TRANSFER SLIP00020212405_pdf.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    RFQ-284683839.001.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    Dane bankowe.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    33aee36c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195
                                                    Dane bankowe.exeGet hashmaliciousBrowse
                                                    • 188.93.227.195

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_ 21072021.exe.log
                                                    Process:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1314
                                                    Entropy (8bit):5.350128552078965
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.450390704563295
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    File name:RFQ_ 21072021.exe
                                                    File size:934400
                                                    MD5:0a74cbd4246a6e11077876c572a3d507
                                                    SHA1:0a4f341f4e9b399fa37a42e041bb3bb3b6f455ff
                                                    SHA256:4856e75e63f0c5c14255001eefbea1d88c99fa8b7279dd0703a407a90b222b93
                                                    SHA512:b04188c94acf13c205697681f273f370bb259ac782735b25854e412e7290a32214c00a2b0e5bf9e0d49888df2c6cc0a487ee88c320d9b440c0205b48895d1d59
                                                    SSDEEP:12288:YSIt+/xerrmsnUsFIYHqCZnjKFBce/9ghkR6jDzjSbfeXnhLPu2syaUVKnpa:YZD/7nZ7H9njKFBcli67O6XhLjzahpa
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y..`.................X...........w... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:1749c81a994c2d93

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4c771e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x60F91259 [Thu Jul 22 06:38:17 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc76d00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x1e06c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xc57240xc5800False0.777621884889data7.56840197347IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .sdata0xc80000x180x200False0.060546875data0.456640975135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xca0000x1e06c0x1e200False0.304201244813data5.12107540034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xea0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0xca2200x468GLS_BINARY_LSB_FIRST
                                                    RT_ICON0xca6880x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 86452005, next used block 10132114
                                                    RT_ICON0xcb7300x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 54805568, next used block 21251136
                                                    RT_ICON0xcdcd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 54805568, next used block 4473920
                                                    RT_ICON0xd1f000x10828data
                                                    RT_ICON0xe27280x539bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                    RT_GROUP_ICON0xe7ac40x5adata
                                                    RT_VERSION0xe7b200x35edata
                                                    RT_MANIFEST0xe7e800x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyright(c) 2019 Riot Games, Inc.
                                                    Assembly Version2.0.26.9
                                                    InternalNameValueFix.exe
                                                    FileVersion2.0.26.9
                                                    CompanyNameRiot Games, Inc.
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameRiot Client
                                                    ProductVersion2.0.26.9
                                                    FileDescriptionRiot Client
                                                    OriginalFilenameValueFix.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 22, 2021 12:02:55.453504086 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.537091017 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.537626028 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.718158007 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.720782995 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.804296017 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.804797888 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.890711069 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:55.931384087 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:55.971260071 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.064718008 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.064744949 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.064758062 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.064785957 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.065032005 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.065334082 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.078958035 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.166285038 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.212625027 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.436260939 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.520169973 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.522408962 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.606291056 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.607594967 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.696959972 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.698246956 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.782324076 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.782718897 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.878906012 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.879219055 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.962773085 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:56.963463068 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.963514090 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.964054108 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:56.964066029 CEST49739587192.168.2.3188.93.227.195
                                                    Jul 22, 2021 12:02:57.047020912 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.047041893 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.047396898 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.047414064 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.055247068 CEST58749739188.93.227.195192.168.2.3
                                                    Jul 22, 2021 12:02:57.103302002 CEST49739587192.168.2.3188.93.227.195

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 22, 2021 12:00:44.322632074 CEST5128153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:44.372987986 CEST53512818.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:45.745069981 CEST4919953192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:45.800614119 CEST53491998.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:46.541826010 CEST5062053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:46.600564003 CEST53506208.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:47.140366077 CEST6493853192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:47.192239046 CEST53649388.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:48.457087040 CEST6015253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:48.509176970 CEST53601528.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:50.201914072 CEST5754453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:50.258915901 CEST53575448.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:51.661979914 CEST5598453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:51.713931084 CEST53559848.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:52.988853931 CEST6418553192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:53.048674107 CEST53641858.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:54.162817001 CEST6511053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:54.212244034 CEST53651108.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:55.065648079 CEST5836153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:55.117610931 CEST53583618.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:56.260020018 CEST6349253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:56.317395926 CEST53634928.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:57.389389038 CEST6083153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:57.438536882 CEST53608318.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:00:58.734705925 CEST6010053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:00:58.791606903 CEST53601008.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:00.174190998 CEST5319553192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:00.231174946 CEST53531958.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:01.350590944 CEST5014153192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:01.402122974 CEST53501418.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:02.121391058 CEST5302353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:02.175849915 CEST53530238.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:02.975672960 CEST4956353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:03.035983086 CEST53495638.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:04.914079905 CEST5135253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:04.966110945 CEST53513528.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:06.055859089 CEST5934953192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:06.108244896 CEST53593498.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:07.196876049 CEST5708453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:07.249084949 CEST53570848.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:20.181071043 CEST5882353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:20.249563932 CEST53588238.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:21.557835102 CEST5756853192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:21.674859047 CEST53575688.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:35.917995930 CEST5054053192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:35.986428976 CEST53505408.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:39.335983038 CEST5436653192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:39.393368959 CEST53543668.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:54.240178108 CEST5303453192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:54.298537016 CEST53530348.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:01:57.508630991 CEST5776253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:01:57.568834066 CEST53577628.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:28.774041891 CEST5543553192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:28.851541996 CEST53554358.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:32.230384111 CEST5071353192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:32.289351940 CEST53507138.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:55.214694023 CEST5613253192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:55.289421082 CEST53561328.8.8.8192.168.2.3
                                                    Jul 22, 2021 12:02:55.304380894 CEST5898753192.168.2.38.8.8.8
                                                    Jul 22, 2021 12:02:55.362222910 CEST53589878.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jul 22, 2021 12:02:55.214694023 CEST192.168.2.38.8.8.80x9451Standard query (0)mail.tccinfaes.comA (IP address)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.304380894 CEST192.168.2.38.8.8.80x348cStandard query (0)mail.tccinfaes.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jul 22, 2021 12:02:55.289421082 CEST8.8.8.8192.168.2.30x9451No error (0)mail.tccinfaes.comtccinfaes.comCNAME (Canonical name)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.289421082 CEST8.8.8.8192.168.2.30x9451No error (0)tccinfaes.com188.93.227.195A (IP address)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.362222910 CEST8.8.8.8192.168.2.30x348cNo error (0)mail.tccinfaes.comtccinfaes.comCNAME (Canonical name)IN (0x0001)
                                                    Jul 22, 2021 12:02:55.362222910 CEST8.8.8.8192.168.2.30x348cNo error (0)tccinfaes.com188.93.227.195A (IP address)IN (0x0001)

                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Jul 22, 2021 12:02:55.718158007 CEST58749739188.93.227.195192.168.2.3220-iberweb-11a.ibername.com ESMTP Exim 4.94.2 #2 Thu, 22 Jul 2021 11:02:54 +0100
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Jul 22, 2021 12:02:55.720782995 CEST49739587192.168.2.3188.93.227.195EHLO 936905
                                                    Jul 22, 2021 12:02:55.804296017 CEST58749739188.93.227.195192.168.2.3250-iberweb-11a.ibername.com Hello 936905 [84.17.52.8]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPE_CONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-STARTTLS
                                                    250 HELP
                                                    Jul 22, 2021 12:02:55.804797888 CEST49739587192.168.2.3188.93.227.195STARTTLS
                                                    Jul 22, 2021 12:02:55.890711069 CEST58749739188.93.227.195192.168.2.3220 TLS go ahead

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Start time:12:00:50
                                                    Start date:22/07/2021
                                                    Path:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\RFQ_ 21072021.exe'
                                                    Imagebase:0x510000
                                                    File size:934400 bytes
                                                    MD5 hash:0A74CBD4246A6E11077876C572A3D507
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:low

                                                    General

                                                    Start time:12:01:15
                                                    Start date:22/07/2021
                                                    Path:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\RFQ_ 21072021.exe
                                                    Imagebase:0xd90000
                                                    File size:934400 bytes
                                                    MD5 hash:0A74CBD4246A6E11077876C572A3D507
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.467647680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.471299072.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >