Loading ...

Play interactive tourEdit tour

Analysis Report OUR REF-RFQ17641-4.exe

Overview

General Information

Sample Name:OUR REF-RFQ17641-4.exe
Analysis ID:249706
MD5:4b12529ef46127502423771c5b2a32a5
SHA1:b7dc5b8c756ee7a6981047cf50961a9478ea8e29
SHA256:554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect sleep reduction / modifications
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • OUR REF-RFQ17641-4.exe (PID: 3148 cmdline: 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' MD5: 4B12529EF46127502423771C5B2A32A5)
    • OUR REF-RFQ17641-4.exe (PID: 3208 cmdline: 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' MD5: 4B12529EF46127502423771C5B2A32A5)
      • OUR REF-RFQ17641-4.exe (PID: 2840 cmdline: 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' MD5: 4B12529EF46127502423771C5B2A32A5)
        • OUR REF-RFQ17641-4.exe (PID: 2832 cmdline: 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' MD5: 4B12529EF46127502423771C5B2A32A5)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": " KhdV8onBO9", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " uvqYRQIev", "From: ": "finance@enmark.com.my"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.880072887.0000000000459000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000001.604477104.0000000000471000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.880762589.00000000007F2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.883322512.0000000002970000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security
          00000006.00000002.883322512.0000000002970000.00000004.00000001.sdmpagenttesla_smtp_variantunknownj from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
          • 0x92c:$a: type={
          • 0x9b8:$a: type={
          • 0x936:$b: hwid={
          • 0x9c2:$b: hwid={
          • 0x940:$c: time={
          • 0x9cc:$c: time={
          • 0x94a:$d: pcname={
          • 0x9d6:$d: pcname={
          • 0x956:$e: logdata={
          • 0x9e2:$e: logdata={
          • 0x963:$f: screen={
          • 0x9ef:$f: screen={
          • 0x96f:$g: ipadd={
          • 0x9fb:$g: ipadd={
          • 0x97a:$h: webcam_link={
          • 0xa06:$h: webcam_link={
          • 0x98b:$i: screen_link={
          • 0xa17:$i: screen_link={
          • 0x99c:$k: [passwords]
          • 0xa28:$k: [passwords]
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.OUR REF-RFQ17641-4.exe.750000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            6.1.OUR REF-RFQ17641-4.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.OUR REF-RFQ17641-4.exe.750000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.OUR REF-RFQ17641-4.exe.7f0000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.OUR REF-RFQ17641-4.exe.1f6d0000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 2 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: OUR REF-RFQ17641-4.exe.2832.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": " KhdV8onBO9", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " uvqYRQIev", "From: ": "finance@enmark.com.my"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: OUR REF-RFQ17641-4.exeVirustotal: Detection: 50%Perma Link
                    Machine Learning detection for sampleShow sources
                    Source: OUR REF-RFQ17641-4.exeJoe Sandbox ML: detected
                    Source: 6.2.OUR REF-RFQ17641-4.exe.7a0000.2.unpackAvira: Label: TR/Spy.Agent.lkofd
                    Source: 6.2.OUR REF-RFQ17641-4.exe.400000.0.unpackAvira: Label: TR/Spy.Agent.lkofd
                    Source: 5.2.OUR REF-RFQ17641-4.exe.1f6d0000.4.unpackAvira: Label: TR/Spy.Agent.lkofd
                    Source: 6.2.OUR REF-RFQ17641-4.exe.7f0000.3.unpackAvira: Label: TR/Spy.Agent.lkofd
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00408D00 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408D00
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00408E00 FindFirstFileA,GetLastError,0_2_00408E00
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0040583C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_0040583C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4x nop then mov edi, dword ptr [ebp+20h]4_2_007008EF
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]4_2_007008EF
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]4_2_00700BC1
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]5_2_00560BC1
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4x nop then mov edi, dword ptr [ebp+20h]5_2_005608EF
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4x nop then mov ecx, dword ptr [edi+00000808h]5_2_005608EF

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: checkip.amazonaws.com
                    Source: unknownDNS query: name: checkip.amazonaws.com
                    Source: global trafficTCP traffic: 192.168.2.6:49724 -> 110.4.45.145:587
                    Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
                    Source: Joe Sandbox ViewIP Address: 216.58.215.225 216.58.215.225
                    Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficTCP traffic: 192.168.2.6:49724 -> 110.4.45.145:587
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0222A186 recv,6_2_0222A186
                    Source: unknownDNS traffic detected: queries for: doc-0c-44-docs.googleusercontent.com
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883978238.0000000002B4A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.880962389.000000000087B000.00000004.00000020.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000002.883955357.0000000002B3C000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883978238.0000000002B4A000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.comx&?p
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.885882157.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoc
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883893183.0000000002B24000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.881132020.000000000090A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883893183.0000000002B24000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883893183.0000000002B24000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883893183.0000000002B24000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.881098238.00000000008FA000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000002.880962389.000000000087B000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000003.684706489.00000000008DC000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp7N
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpP3
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/D
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/P
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.880962389.000000000087B000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMhH
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/P
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000002.883955357.0000000002B3C000.00000004.00000001.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000003.684305612.0000000000644000.00000004.00000001.sdmpString found in binary or memory: https://0yon8PAqBlkwekFe0f.com
                    Source: OUR REF-RFQ17641-4.exe, 00000005.00000002.605078653.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883893183.0000000002B24000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.880962389.000000000087B000.00000004.00000020.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000003.685050523.00000000008F5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/content/images/icons/Favicon_EdgeStart.ico
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000003.685020792.000000000090A000.00000004.00000001.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000002.880962389.000000000087B000.00000004.00000020.sdmp, OUR REF-RFQ17641-4.exe, 00000006.00000003.685050523.00000000008F5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientpD
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.883399732.00000000029A0000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/spartan/ientpP
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0042990C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042990C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00448408 GetKeyboardState,0_2_00448408
                    Source: OUR REF-RFQ17641-4.exe, 00000000.00000002.467402322.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000006.00000002.883322512.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                    Source: Process Memory Space: OUR REF-RFQ17641-4.exe PID: 2832, type: MEMORYMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                    Yara detected Agent Tesla TrojanShow sources
                    Source: Yara matchFile source: 00000006.00000002.883322512.0000000002970000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: OUR REF-RFQ17641-4.exe PID: 2832, type: MEMORY
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004660C0 NtdllDefWindowProc_A,0_2_004660C0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0048A506 NtQueryInformationProcess,NtQueryInformationProcess,0_2_0048A506
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004892E7 VirtualAlloc,CreateProcessW,NtUnmapViewOfSection,0_2_004892E7
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0048D462 NtMapViewOfSection,0_2_0048D462
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00466868 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00466868
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00466918 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00466918
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0043321C NtdllDefWindowProc_A,0_2_0043321C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0045B3EC GetSubMenu,SaveDC,RestoreDC,72E8B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0045B3EC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0044B384 NtdllDefWindowProc_A,GetCapture,0_2_0044B384
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00702D90 NtResumeThread,4_2_00702D90
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00702A10 NtProtectVirtualMemory,4_2_00702A10
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00700F8C NtWriteVirtualMemory,4_2_00700F8C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00701167 NtWriteVirtualMemory,4_2_00701167
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00702DCC NtResumeThread,4_2_00702DCC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00702D96 NtResumeThread,4_2_00702D96
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00700F5E NtWriteVirtualMemory,4_2_00700F5E
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00561471 NtProtectVirtualMemory,5_2_00561471
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00560D7C CreateThread,TerminateThread,NtProtectVirtualMemory,5_2_00560D7C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00562A10 NtProtectVirtualMemory,5_2_00562A10
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00560DCE RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,5_2_00560DCE
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_005613FD Sleep,NtProtectVirtualMemory,5_2_005613FD
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00562D90 NtSetInformationThread,5_2_00562D90
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_0056146B NtProtectVirtualMemory,5_2_0056146B
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_0056032B NtProtectVirtualMemory,5_2_0056032B
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00562DCC NtSetInformationThread,5_2_00562DCC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 5_2_00562D96 NtSetInformationThread,5_2_00562D96
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_00452159 NtCreateSection,6_2_00452159
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_051C0476 NtQuerySystemInformation,6_2_051C0476
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_051C0445 NtQuerySystemInformation,6_2_051C0445
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004605B80_2_004605B8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00432F0C0_2_00432F0C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0045B3EC0_2_0045B3EC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0040DFA00_2_0040DFA0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_004015DC4_2_004015DC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401E1B4_2_00401E1B
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401E604_2_00401E60
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401ECA4_2_00401ECA
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401ED14_2_00401ED1
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401ED44_2_00401ED4
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401EDC4_2_00401EDC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401EE84_2_00401EE8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401EF04_2_00401EF0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401EF94_2_00401EF9
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401EA64_2_00401EA6
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401F054_2_00401F05
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401F084_2_00401F08
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401F104_2_00401F10
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_00401F184_2_00401F18
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_2_007015344_2_00701534
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_004015DC4_1_004015DC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401E1B4_1_00401E1B
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401E604_1_00401E60
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401ECA4_1_00401ECA
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401ED14_1_00401ED1
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401ED44_1_00401ED4
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401EDC4_1_00401EDC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401EE84_1_00401EE8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401EF04_1_00401EF0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401EF94_1_00401EF9
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401EA64_1_00401EA6
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401F054_1_00401F05
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401F084_1_00401F08
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401F104_1_00401F10
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 4_1_00401F184_1_00401F18
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0044B9766_2_0044B976
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0045113D6_2_0045113D
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4D3386_2_04B4D338
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4E2206_2_04B4E220
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4F9386_2_04B4F938
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4F9286_2_04B4F928
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4E92B6_2_04B4E92B
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4E8976_2_04B4E897
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4E20F6_2_04B4E20F
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4CEFE6_2_04B4CEFE
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_04B4F45E6_2_04B4F45E
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554B5506_2_0554B550
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055481306_2_05548130
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_05549DE06_2_05549DE0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055465906_2_05546590
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055411A06_2_055411A0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055434286_2_05543428
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554BB086_2_0554BB08
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_05548F086_2_05548F08
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055446006_2_05544600
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055472F06_2_055472F0
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_05540AEF6_2_05540AEF
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A6B86_2_0554A6B8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055481F96_2_055481F9
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A9E86_2_0554A9E8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A99F6_2_0554A99F
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055411996_2_05541199
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055465826_2_05546582
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_05549DBC6_2_05549DBC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A8106_2_0554A810
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_05543C386_2_05543C38
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554B4B86_2_0554B4B8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A7756_2_0554A775
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055487686_2_05548768
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554B71C6_2_0554B71C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554AB1F6_2_0554AB1F
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_055433D16_2_055433D1
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A7966_2_0554A796
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554AA1E6_2_0554AA1E
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554AAD76_2_0554AAD7
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_05548EF86_2_05548EF8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554BAF86_2_0554BAF8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554AAED6_2_0554AAED
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_0554A6A86_2_0554A6A8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: String function: 0040418C appears 65 times
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: String function: 00406884 appears 61 times
                    Source: OUR REF-RFQ17641-4.exeStatic PE information: Resource name: RT_MENU type: DOS executable (COM, 0x8C-variant)
                    Source: OUR REF-RFQ17641-4.exeStatic PE information: Resource name: RT_MENU type: COM executable for DOS
                    Source: OUR REF-RFQ17641-4.exeStatic PE information: Resource name: RT_MENU type: DOS executable (COM, 0x8C-variant)
                    Source: OUR REF-RFQ17641-4.exe, 00000000.00000002.468107511.0000000002610000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameThermolum.exe vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exeBinary or memory string: OriginalFilename vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000004.00000002.521872136.0000000002220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000004.00000001.466363636.000000000040C000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameThermolum.exe vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000005.00000002.616383262.000000001EF60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000005.00000002.616267924.000000001EE10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000005.00000002.616879760.000000001F6D2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000005.00000002.616879760.000000001F6D2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000005.00000002.616492675.000000001F250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exeBinary or memory string: OriginalFilename vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.880072887.0000000000459000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.880072887.0000000000459000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.884233902.0000000004AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.880926655.0000000000861000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.885477211.00000000055A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.886133039.0000000006110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.885505179.00000000055B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs OUR REF-RFQ17641-4.exe
                    Source: OUR REF-RFQ17641-4.exe, 00000006.00000002.884421040.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs OUR REF-RFQ17641-4.exe
                    Source: 00000006.00000002.883322512.0000000002970000.00000004.00000001.sdmp, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                    Source: Process Memory Space: OUR REF-RFQ17641-4.exe PID: 2832, type: MEMORYMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@3/2
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004264B4 GetLastError,FormatMessageA,0_2_004264B4
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_051C02FA AdjustTokenPrivileges,6_2_051C02FA
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 6_2_051C02C3 AdjustTokenPrivileges,6_2_051C02C3
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0040905E GetDiskFreeSpaceA,0_2_0040905E
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00489B2A CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,0_2_00489B2A
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0041E63C FindResourceA,LoadResource,SizeofResource,LockResource,0_2_0041E63C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF06F8579A6A7559B.TMPJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: OUR REF-RFQ17641-4.exeVirustotal: Detection: 50%
                    Source: unknownProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe'
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess created: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe 'C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: OUR REF-RFQ17641-4.exe

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeUnpacked PE file: 4.2.OUR REF-RFQ17641-4.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeUnpacked PE file: 6.2.OUR REF-RFQ17641-4.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeUnpacked PE file: 4.2.OUR REF-RFQ17641-4.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeUnpacked PE file: 6.2.OUR REF-RFQ17641-4.exe.400000.0.unpack
                    Yara detected GuLoaderShow sources
                    Source: Yara matchFile source: 00000005.00000002.605078653.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: OUR REF-RFQ17641-4.exe PID: 2840, type: MEMORY
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004523A8 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004523A8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004529F4 push 00452A81h; ret 0_2_00452A79
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004481A8 push ecx; mov dword ptr [esp], ecx0_2_004481AC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0040E270 push 0040E3ECh; ret 0_2_0040E3E4
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0047E374 push 0047E3CCh; ret 0_2_0047E3C4
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0047831C push 00478354h; ret 0_2_0047834C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0040E3EE push 0040E45Fh; ret 0_2_0040E457
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0040E3F0 push 0040E45Fh; ret 0_2_0040E457
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004683A8 push 00468402h; ret 0_2_004683FA
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004063B0 push 00406401h; ret 0_2_004063F9
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004684D8 push 00468504h; ret 0_2_004684FC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00486578 push 004865EFh; ret 0_2_004865E7
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00468538 push 00468564h; ret 0_2_0046855C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004065E0 push 0040660Ch; ret 0_2_00406604
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004365A0 push 004365D3h; ret 0_2_004365CB
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00406658 push 00406684h; ret 0_2_0040667C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0047C614 push 0047C640h; ret 0_2_0047C638
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0047E714 push 0047E7BFh; ret 0_2_0047E7B7
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004727DC push 00472808h; ret 0_2_00472800
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0041A78C push ecx; mov dword ptr [esp], edx0_2_0041A791
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00472828 push 00472854h; ret 0_2_0047284C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00434888 push ecx; mov dword ptr [esp], ecx0_2_0043488D
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00418898 push 004188E5h; ret 0_2_004188DD
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00440920 push 0044094Ch; ret 0_2_00440944
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0045298C push 004529F2h; ret 0_2_004529EA
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0041A9B4 push ecx; mov dword ptr [esp], edx0_2_0041A9B9
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0042EA74 push 0042EAA0h; ret 0_2_0042EA98
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0042EA2C push 0042EA6Ah; ret 0_2_0042EA62
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0041AAD0 push ecx; mov dword ptr [esp], edx0_2_0041AAD5
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00440A88 push 00440AB4h; ret 0_2_00440AAC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0042EAAC push 0042EAE4h; ret 0_2_0042EADC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0047CB78 push 0047CBAFh; ret 0_2_0047CBA7
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00466148 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00466148
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00466868 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00466868
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00466918 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00466918
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0044CAA8 IsIconic,GetCapture,0_2_0044CAA8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_00463170 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00463170
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0044D35C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0044D35C
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0042D4BC IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042D4BC
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_0044DCB8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0044DCB8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeCode function: 0_2_004523A8 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004523A8
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OUR REF-RFQ17641-4.exe