Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:715063
MD5:aad07a56490f6741c3921858f3043e79
SHA1:a94598c7fc15b6c5acc91f1436dba83997e11e28
SHA256:3e2d304ef3b13cf0e4ce178d8b04878537871fe4957a579da336daee46cdeeef
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • RFQ.exe (PID: 4968 cmdline: C:\Users\user\Desktop\RFQ.exe MD5: AAD07A56490F6741C3921858F3043E79)
    • RFQ.exe (PID: 3388 cmdline: C:\Users\user\Desktop\RFQ.exe MD5: AAD07A56490F6741C3921858F3043E79)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "mariel.lalu@jeteix.com", "Password": "qlRYaFn8   ", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
          • 0x10eee4:$x1: $%SMTPDV$
          • 0x12e504:$x1: $%SMTPDV$
          • 0x10eefa:$x2: $#TheHashHere%&
          • 0x12e51a:$x2: $#TheHashHere%&
          • 0x1101e8:$x3: %FTPDV$
          • 0x12f808:$x3: %FTPDV$
          • 0x1102ba:$x4: $%TelegramDv$
          • 0x12f8da:$x4: $%TelegramDv$
          • 0x10c849:$x5: KeyLoggerEventArgs
          • 0x10cbdf:$x5: KeyLoggerEventArgs
          • 0x12be69:$x5: KeyLoggerEventArgs
          • 0x12c1ff:$x5: KeyLoggerEventArgs
          • 0x110258:$m1: | Snake Keylogger
          • 0x11031a:$m1: | Snake Keylogger
          • 0x11046e:$m1: | Snake Keylogger
          • 0x110594:$m1: | Snake Keylogger
          • 0x1106ee:$m1: | Snake Keylogger
          • 0x12f878:$m1: | Snake Keylogger
          • 0x12f93a:$m1: | Snake Keylogger
          • 0x12fa8e:$m1: | Snake Keylogger
          • 0x12fbb4:$m1: | Snake Keylogger
          Click to see the 22 entries
          SourceRuleDescriptionAuthorStrings
          0.2.RFQ.exe.471c928.11.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
          • 0x94220:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0xb3840:$a2: \Comodo\Dragon\User Data\Default\Login Data
          • 0x93409:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0xb2a29:$a3: \Google\Chrome\User Data\Default\Login Data
          • 0x93850:$a4: \Orbitum\User Data\Default\Login Data
          • 0xb2e70:$a4: \Orbitum\User Data\Default\Login Data
          • 0x949d1:$a5: \Kometa\User Data\Default\Login Data
          • 0xb3ff1:$a5: \Kometa\User Data\Default\Login Data
          0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.RFQ.exe.471c928.11.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 57 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.3132.226.8.16949704802842536 10/03/22-15:47:47.039225
                  SID:2842536
                  Source Port:49704
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: RFQ.exeReversingLabs: Detection: 33%
                  Source: RFQ.exeVirustotal: Detection: 35%Perma Link
                  Source: RFQ.exeJoe Sandbox ML: detected
                  Source: 1.0.RFQ.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                  Source: 1.0.RFQ.exe.400000.0.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mariel.lalu@jeteix.com", "Password": "qlRYaFn8 ", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
                  Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: RFQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F6467h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FE499h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F75E7h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FF5F9h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FFA51h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FDBEAh
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F68C7h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FE8F1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F4C21h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FED49h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F6D27h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FE041h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F534Ah
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F7187h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018FF1A1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F534Ah
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 018F534Ah
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699E161h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06998149h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06995181h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 069948D1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699EA39h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06995A31h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 069989F9h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699F741h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06996739h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06993771h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06997899h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06996FE9h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06994021h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06994D29h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 069985A1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06997CF1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699EE91h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06995E89h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699E5E1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 069955D9h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699FB99h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06996B91h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 069962E1h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 0699F2E9h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06993319h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06997441h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06994479h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then jmp 06993BC9h
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.3:49704 -> 132.226.8.169:80
                  Source: C:\Users\user\Desktop\RFQ.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\RFQ.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\RFQ.exeDNS query: name: checkip.dyndns.org
                  Source: C:\Users\user\Desktop\RFQ.exeDNS query: name: checkip.dyndns.org
                  Source: Yara matchFile source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewASN Name: UTMEMUS UTMEMUS
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: RFQ.exe, 00000001.00000002.510261529.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RFQ.exe, 00000001.00000002.510207727.0000000003536000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510261529.0000000003543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RFQ.exe, 00000001.00000002.509570774.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RFQ.exe, 00000001.00000002.510207727.0000000003536000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org42k
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RFQ.exe, 00000001.00000002.509570774.00000000034A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

                  System Summary

                  barindex
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: RFQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_032FCA4C
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_032FE9EA
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_032FE9F0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_032FB468
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F61A9
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FE1E1
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F7328
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F9343
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FF341
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FF798
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FD6BA
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F6608
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FE638
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F59F8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F4960
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FEA92
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F6A69
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FDD87
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F6EC9
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FEEE8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F59E8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FCF30
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018FCF40
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F3E80
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F3E70
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06970690
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06972610
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06970040
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06970CE0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06972C60
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069732B0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06971328
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06971FC0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069738F8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06971970
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06970680
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06972601
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06970006
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06970CD1
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06972C50
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069732A0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06971319
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06971FB1
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069738E8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06971961
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699DEB8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06997EA0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06994ED8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06994628
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699E790
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06995788
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06998750
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699F498
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06996490
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069934C8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699C450
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069975F0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06996D40
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06993D78
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06994A80
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069982F8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06997A48
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06998BA8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699EBE8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06995BE0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699E338
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06995330
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699F8F0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069968E8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06996038
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699B828
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06990040
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699F040
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06993070
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06997198
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069941D0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06993920
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699D150
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06997E96
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699DEA9
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06994EC8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06994618
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699E781
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06998740
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06995778
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699F488
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069934B9
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699647F
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069975E0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06996D38
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06993D67
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069982E8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06997A37
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06994A72
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699EBD8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06995BD0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699531F
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699E328
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699C0D8
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069968D7
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699C0CA
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699F8E0
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699B818
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06990006
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699F030
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06996029
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06993060
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06997188
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069941BF
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0699390F
                  Source: RFQ.exe, 00000000.00000002.280928503.0000000004550000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.288186151.0000000007B50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.272272091.0000000003560000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000000.240378654.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVDnO.exeL vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.288331973.0000000007BA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.269573487.0000000003491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.269573487.0000000003491000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs RFQ.exe
                  Source: RFQ.exe, 00000000.00000002.288379252.0000000007D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs RFQ.exe
                  Source: RFQ.exe, 00000001.00000000.265808349.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYFGGCVyufgtwfyuTGFWTVFAUYVF.exeX vs RFQ.exe
                  Source: RFQ.exe, 00000001.00000002.506053802.00000000014F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ.exe
                  Source: RFQ.exeBinary or memory string: OriginalFilenameVDnO.exeL vs RFQ.exe
                  Source: RFQ.exeReversingLabs: Detection: 33%
                  Source: RFQ.exeVirustotal: Detection: 35%
                  Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe
                  Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe
                  Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe
                  Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: RFQ.exe, 00000001.00000002.510819015.000000000451C000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510363594.000000000355C000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510404547.0000000003568000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RFQ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: 1.0.RFQ.exe.400000.0.unpack, ufffd?ufffd?z/ud834udd61ufffd??.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 1.0.RFQ.exe.400000.0.unpack, u06da??u005e?/???ufffd?.csCryptographic APIs: 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RFQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Source: RFQ.exe, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.RFQ.exe.fe0000.0.unpack, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F1B69 push 8BFFFFFFh; retf
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F2F60 push FFFFFF8Bh; iretd
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_06974198 push es; iretd
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_069750EB push es; iretd
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAMENSYSTEM\CONTROLSET001\SERVICES\DISK\ENUM
                  Source: C:\Users\user\Desktop\RFQ.exe TID: 5136Thread sleep time: -41226s >= -30000s
                  Source: C:\Users\user\Desktop\RFQ.exe TID: 5176Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\RFQ.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 41226
                  Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SAMPLEDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
                  Source: RFQ.exe, 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: RFQ.exe, 00000001.00000002.507107349.00000000016B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\RFQ.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_018F59F8 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\RFQ.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: 1.0.RFQ.exe.400000.0.unpack, u06da??u005e?/???ufffd?.csReference to suspicious API methods: ('??OZ&', 'MapVirtualKey@user32.dll')
                  Source: 1.0.RFQ.exe.400000.0.unpack, ???ufffdufffd/ufffdufffdufffdufffd?.csReference to suspicious API methods: ('?m???', 'LoadLibrary@kernel32.dll'), ('????;', 'GetProcAddress@kernel32')
                  Source: C:\Users\user\Desktop\RFQ.exeMemory written: C:\Users\user\Desktop\RFQ.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe C:\Users\user\Desktop\RFQ.exe
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.RFQ.exe.471c928.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4499930.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.0.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4795b48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.45235c8.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ.exe.4501fa8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 4968, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3388, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Native API
                  Path Interception111
                  Process Injection
                  1
                  Masquerading
                  2
                  OS Credential Dumping
                  11
                  Security Software Discovery
                  Remote Services1
                  Email Collection
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools
                  LSASS Memory1
                  Process Discovery
                  Remote Desktop Protocol11
                  Archive Collected Data
                  Exfiltration Over Bluetooth1
                  Ingress Tool Transfer
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion
                  Security Account Manager21
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin Shares2
                  Data from Local System
                  Automated Exfiltration2
                  Non-Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection
                  NTDS1
                  Remote System Discovery
                  Distributed Component Object ModelInput CaptureScheduled Transfer12
                  Application Layer Protocol
                  SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA Secrets1
                  System Network Configuration Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Obfuscated Files or Information
                  Cached Domain Credentials13
                  System Information Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                  Software Packing
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  RFQ.exe33%ReversingLabsByteCode-MSIL.Spyware.SnakeLogger
                  RFQ.exe36%VirustotalBrowse
                  RFQ.exe100%Joe Sandbox ML
                  No Antivirus matches
                  SourceDetectionScannerLabelLinkDownload
                  1.0.RFQ.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                  SourceDetectionScannerLabelLink
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://checkip.dyndns.org42k0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  checkip.dyndns.com
                  132.226.8.169
                  truetrueunknown
                  checkip.dyndns.org
                  unknown
                  unknowntrueunknown
                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/true
                  • URL Reputation: safe
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.fontbureau.comRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.com/designersGRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bTheRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          https://api.telegram.org/botRFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.com/designers?RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.tiro.comRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://checkip.dyndns.orgRFQ.exe, 00000001.00000002.510207727.0000000003536000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000002.510261529.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.goodfont.co.krRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cTheRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.comRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://checkip.dyndns.org/qRFQ.exe, 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, RFQ.exe, 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8RFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://checkip.dyndns.org42kRFQ.exe, 00000001.00000002.510207727.0000000003536000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fonts.comRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sandoll.co.krRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://checkip.dyndns.comRFQ.exe, 00000001.00000002.510261529.0000000003543000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleaseRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ.exe, 00000001.00000002.509570774.00000000034A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.sakkal.comRFQ.exe, 00000000.00000002.286374414.0000000007692000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          132.226.8.169
                                          checkip.dyndns.comUnited States
                                          16989UTMEMUStrue
                                          IP
                                          192.168.2.1
                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:715063
                                          Start date and time:2022-10-03 15:46:41 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 24s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:RFQ.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:13
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          TimeTypeDescription
                                          15:47:42API Interceptor1x Sleep call for process: RFQ.exe modified
                                          No context
                                          No context
                                          No context
                                          No context
                                          No context
                                          Process:C:\Users\user\Desktop\RFQ.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1308
                                          Entropy (8bit):5.345811588615766
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                          MD5:2E016B886BDB8389D2DD0867BE55F87B
                                          SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                          SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                          SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.343356100169625
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:RFQ.exe
                                          File size:820224
                                          MD5:aad07a56490f6741c3921858f3043e79
                                          SHA1:a94598c7fc15b6c5acc91f1436dba83997e11e28
                                          SHA256:3e2d304ef3b13cf0e4ce178d8b04878537871fe4957a579da336daee46cdeeef
                                          SHA512:cf06bbfe743ee7ea0835b3703602b7089e599fa8e2d023546d38b10e77defca4b092697f977fa3b2fe804d303f7b8bfb9d80ef557eebf925c1f998d7dde20e4a
                                          SSDEEP:12288:uXstLovH4+5mCTWQg3mlDJwrxMF0LnXRBnU+wD+E542KK4HTN:bAHEtQV72MCLnXXfwDJ5
                                          TLSH:0B05CF2113E69B0BD4165374CDD2C3B0AFE84EA4E2B1C2474FD9FD6BB47B1AABA40145
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0..x............... ........@.. ....................................@................................
                                          Icon Hash:00828e8e8686b000
                                          Entrypoint:0x4c978a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x633A8CAF [Mon Oct 3 07:18:07 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc97380x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x608.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xc77900xc7800False0.6484485138627819data6.351383148051993IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xca0000x6080x800False0.33251953125data3.444084076963786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xcc0000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xca0900x378data
                                          RT_MANIFEST0xca4180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          192.168.2.3132.226.8.16949704802842536 10/03/22-15:47:47.039225TCP2842536ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check4970480192.168.2.3132.226.8.169
                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2022 15:47:46.579755068 CEST4970480192.168.2.3132.226.8.169
                                          Oct 3, 2022 15:47:46.884941101 CEST8049704132.226.8.169192.168.2.3
                                          Oct 3, 2022 15:47:46.886537075 CEST4970480192.168.2.3132.226.8.169
                                          Oct 3, 2022 15:47:47.039225101 CEST4970480192.168.2.3132.226.8.169
                                          Oct 3, 2022 15:47:47.343703985 CEST8049704132.226.8.169192.168.2.3
                                          Oct 3, 2022 15:47:47.344213009 CEST8049704132.226.8.169192.168.2.3
                                          Oct 3, 2022 15:47:47.394360065 CEST4970480192.168.2.3132.226.8.169
                                          Oct 3, 2022 15:48:52.343807936 CEST8049704132.226.8.169192.168.2.3
                                          Oct 3, 2022 15:48:52.344105005 CEST4970480192.168.2.3132.226.8.169
                                          Oct 3, 2022 15:49:27.373189926 CEST4970480192.168.2.3132.226.8.169
                                          Oct 3, 2022 15:49:27.677575111 CEST8049704132.226.8.169192.168.2.3
                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 3, 2022 15:47:46.492577076 CEST5784053192.168.2.38.8.8.8
                                          Oct 3, 2022 15:47:46.511396885 CEST53578408.8.8.8192.168.2.3
                                          Oct 3, 2022 15:47:46.524517059 CEST5799053192.168.2.38.8.8.8
                                          Oct 3, 2022 15:47:46.541333914 CEST53579908.8.8.8192.168.2.3
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 3, 2022 15:47:46.492577076 CEST192.168.2.38.8.8.80x8324Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.524517059 CEST192.168.2.38.8.8.80x5673Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 3, 2022 15:47:46.511396885 CEST8.8.8.8192.168.2.30x8324No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.511396885 CEST8.8.8.8192.168.2.30x8324No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.511396885 CEST8.8.8.8192.168.2.30x8324No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.511396885 CEST8.8.8.8192.168.2.30x8324No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.511396885 CEST8.8.8.8192.168.2.30x8324No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.511396885 CEST8.8.8.8192.168.2.30x8324No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.541333914 CEST8.8.8.8192.168.2.30x5673No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.541333914 CEST8.8.8.8192.168.2.30x5673No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.541333914 CEST8.8.8.8192.168.2.30x5673No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.541333914 CEST8.8.8.8192.168.2.30x5673No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.541333914 CEST8.8.8.8192.168.2.30x5673No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Oct 3, 2022 15:47:46.541333914 CEST8.8.8.8192.168.2.30x5673No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          • checkip.dyndns.org
                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.349704132.226.8.16980C:\Users\user\Desktop\RFQ.exe
                                          TimestampkBytes transferredDirectionData
                                          Oct 3, 2022 15:47:47.039225101 CEST104OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Oct 3, 2022 15:47:47.344213009 CEST105INHTTP/1.1 200 OK
                                          Date: Mon, 03 Oct 2022 13:47:47 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 102.129.143.15</body></html>


                                          Click to jump to process

                                          Target ID:0
                                          Start time:15:47:33
                                          Start date:03/10/2022
                                          Path:C:\Users\user\Desktop\RFQ.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\RFQ.exe
                                          Imagebase:0xfe0000
                                          File size:820224 bytes
                                          MD5 hash:AAD07A56490F6741C3921858F3043E79
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.270301502.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.282222426.000000000469E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.280279965.0000000004491000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          Target ID:1
                                          Start time:15:47:44
                                          Start date:03/10/2022
                                          Path:C:\Users\user\Desktop\RFQ.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\RFQ.exe
                                          Imagebase:0xfd0000
                                          File size:820224 bytes
                                          MD5 hash:AAD07A56490F6741C3921858F3043E79
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000000.265621168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          No disassembly