Loading ...

Play interactive tourEdit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:268272
MD5:d599007680b2af6693c9515585ff4ee7
SHA1:983a07724cae1b342601e45968f87fa771e2e5c0
SHA256:87577cf9a668390b93b9fe82794b21cd0579d4b1a7b4f0a4d0b841d03d046daa

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: MSBuild connects to smtp port
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ.exe (PID: 6904 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: D599007680B2AF6693C9515585FF4EE7)
    • MSBuild.exe (PID: 7044 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • vbc.exe (PID: 6168 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp623B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5768 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp5883.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.243855003.0000000002D21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x1bb98a:$s2: _ScreenshotLogger
    • 0x2f5fba:$s2: _ScreenshotLogger
    • 0x1bb957:$s3: _PasswordStealer
    • 0x2f5f87:$s3: _PasswordStealer
    00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000001.00000003.242695727.0000000004A05000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000001.00000003.242695727.0000000004A05000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.MSBuild.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0x8113a:$s2: _ScreenshotLogger
          • 0x81107:$s3: _PasswordStealer
          1.2.MSBuild.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            1.2.MSBuild.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
            • 0x81107:$str1: _PasswordStealer
            • 0x81118:$str2: _KeyStrokeLogger
            • 0x8113a:$str3: _ScreenshotLogger
            • 0x81129:$str4: _ClipboardLogger
            • 0x8114c:$str5: _WebCamLogger
            • 0x81261:$str6: _AntiVirusKiller
            • 0x8124f:$str7: _ProcessElevation
            • 0x81216:$str8: _DisableCommandPrompt
            • 0x8131c:$str9: _WebsiteBlocker
            • 0x8132c:$str9: _WebsiteBlocker
            • 0x81202:$str10: _DisableTaskManager
            • 0x8127d:$str11: _AntiDebugger
            • 0x81307:$str12: _WebsiteVisitorSites
            • 0x8122c:$str13: _DisableRegEdit
            • 0x8128b:$str14: _ExecutionDelay
            • 0x811b0:$str15: _InstallStartupPersistance
            1.2.MSBuild.exe.5770000.2.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x6b8fa:$a1: logins.json
            • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x6c07e:$s4: \mozsqlite3.dll
            • 0x6a8ee:$s5: SMTP Password
            1.2.MSBuild.exe.5770000.2.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              Click to see the 10 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: MSBuild connects to smtp portShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 54.39.139.67, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7044, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49718
              Sigma detected: Suspicious Process CreationShow sources
              Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp623B.tmp', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp623B.tmp', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 7044, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp623B.tmp', ProcessId: 6168

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: MSBuild.exe.7044.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
              Machine Learning detection for sampleShow sources
              Source: RFQ.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A1A7 FindFirstFileW,FindNextFileW,4_2_0040A1A7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,20_2_0040702D
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_077B0090
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_077B04D8

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: global trafficTCP traffic: 192.168.2.4:49718 -> 54.39.139.67:587
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: global trafficTCP traffic: 192.168.2.4:49718 -> 54.39.139.67:587
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: unknownTCP traffic detected without corresponding DNS query: 2.20.157.220
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: MSBuild.exe, 00000001.00000003.242695727.0000000004A05000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.265026123.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: MSBuild.exe, 00000001.00000003.242695727.0000000004A05000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.265026123.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000004.00000002.265682408.0000000000AA9000.00000004.00000040.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000004.00000002.265682408.0000000000AA9000.00000004.00000040.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 205.12.2.0.in-addr.arpa
              Source: MSBuild.exe, 00000001.00000002.487020677.000000000324A000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
              Source: MSBuild.exe, 00000001.00000002.486851491.000000000319E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: MSBuild.exe, 00000001.00000002.487020677.000000000324A000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com4jkX
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comD8jk
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: MSBuild.exe, 00000001.00000002.492836490.0000000006170000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://eagleeyeapparels.com
              Source: RFQ.exe, 00000000.00000003.221055622.0000000005E8E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://mail.eagleeyeapparels.com
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: MSBuild.exe, 00000001.00000002.486851491.000000000319E000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
              Source: RFQ.exe, 00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmp, MSBuild.exe, 00000001.00000002.484599692.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: MSBuild.exe, 00000001.00000002.486851491.000000000319E000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: RFQ.exe, 00000000.00000002.243855003.0000000002D21000.00000004.00000001.sdmp, MSBuild.exe, 00000001.00000002.486967828.000000000320B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RFQ.exe, 00000000.00000003.221667886.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RFQ.exe, 00000000.00000003.221667886.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCef
              Source: RFQ.exe, 00000000.00000003.221822303.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RFQ.exe, 00000000.00000003.221571744.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
              Source: RFQ.exe, 00000000.00000003.221667886.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comona
              Source: RFQ.exe, 00000000.00000003.227753791.0000000005E8A000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.228620535.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.227367603.0000000005E8A000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.228198408.0000000005E8A000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.235747547.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: RFQ.exe, 00000000.00000003.227000248.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: RFQ.exe, 00000000.00000003.227980783.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.227662194.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: RFQ.exe, 00000000.00000003.227000248.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/u
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.227632684.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.228198408.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: RFQ.exe, 00000000.00000003.227421960.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
              Source: RFQ.exe, 00000000.00000003.228146469.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersSh
              Source: RFQ.exe, 00000000.00000003.228620535.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: RFQ.exe, 00000000.00000003.229048705.0000000005E8A000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.228620535.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
              Source: RFQ.exe, 00000000.00000003.228323496.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
              Source: RFQ.exe, 00000000.00000003.229048705.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
              Source: RFQ.exe, 00000000.00000003.227753791.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: RFQ.exe, 00000000.00000003.227145235.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd_
              Source: RFQ.exe, 00000000.00000003.227584921.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdito
              Source: RFQ.exe, 00000000.00000003.236138544.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: RFQ.exe, 00000000.00000003.227753791.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: RFQ.exe, 00000000.00000003.227753791.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed5
              Source: RFQ.exe, 00000000.00000003.236138544.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionar_
              Source: RFQ.exe, 00000000.00000003.227000248.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comique
              Source: RFQ.exe, 00000000.00000003.228023547.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicd
              Source: RFQ.exe, 00000000.00000003.236138544.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: RFQ.exe, 00000000.00000003.227753791.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RFQ.exe, 00000000.00000003.220991409.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/io
              Source: RFQ.exe, 00000000.00000003.220767713.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnF
              Source: RFQ.exe, 00000000.00000003.220822548.0000000005E8E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-s
              Source: RFQ.exe, 00000000.00000003.229827842.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: RFQ.exe, 00000000.00000003.229827842.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/Ve
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: RFQ.exe, 00000000.00000003.231983728.0000000005EA7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm_
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RFQ.exe, 00000000.00000003.223183989.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: RFQ.exe, 00000000.00000003.223591193.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
              Source: RFQ.exe, 00000000.00000003.222705881.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
              Source: RFQ.exe, 00000000.00000003.223591193.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
              Source: RFQ.exe, 00000000.00000003.222705881.0000000005E85000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
              Source: RFQ.exe, 00000000.00000003.222951656.0000000005E87000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
              Source: RFQ.exe, 00000000.00000003.223591193.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d_
              Source: RFQ.exe, 00000000.00000003.223591193.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: RFQ.exe, 00000000.00000003.223591193.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/L
              Source: RFQ.exe, 00000000.00000003.223591193.0000000005E88000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r_
              Source: RFQ.exe, 00000000.00000003.229503972.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: vbc.exe, 00000004.00000002.264984407.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, vbc.exe, 00000014.00000002.396920205.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.220561865.0000000005E8E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RFQ.exe, 00000000.00000003.220561865.0000000005E8E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-e
              Source: RFQ.exe, 00000000.00000003.220510584.0000000005E8E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krw.m
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RFQ.exe, 00000000.00000003.226685039.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: RFQ.exe, 00000000.00000003.228620535.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deKn
              Source: RFQ.exe, 00000000.00000003.226353787.0000000005E8A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deiv
              Source: RFQ.exe, 00000000.00000002.253997850.0000000007072000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: RFQ.exe, 00000000.00000003.221511798.0000000005E87000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: MSBuild.exe, 00000001.00000002.486851491.000000000319E000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000004.00000002.265682408.0000000000AA9000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: MSBuild.exe, 00000001.00000002.487363991.000000000329E000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
              Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.484599692.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.487546428.00000000032CB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6904, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7044, type: MEMORY
              Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,4_2_0040FDCB
              Source: RFQ.exe, 00000000.00000002.243298865.000000000104A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000014.00000002.396920205.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000001.00000002.484599692.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000001.00000002.491811286.0000000005770000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: Process Memory Space: RFQ.exe PID: 6904, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: MSBuild.exe PID: 7044, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 1.2.MSBuild.exe.5770000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 1.2.MSBuild.exe.5770000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E5F90 NtUnmapViewOfSection,1_2_060E5F90
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040A5A9
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0127E1900_2_0127E190
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_012798480_2_01279848
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0127E5B00_2_0127E5B0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0127C4E80_2_0127C4E8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0127AD840_2_0127AD84
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_077B10680_2_077B1068
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_077E00400_2_077E0040
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_077E00070_2_077E0007
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_077EBAA00_2_077EBAA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E10701_2_014E1070
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EA0981_2_014EA098
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E691D1_2_014E691D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9B5A1_2_014E9B5A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E3D881_2_014E3D88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E0C001_2_014E0C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E71D01_2_014E71D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E81E01_2_014E81E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E10611_2_014E1061
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E90201_2_014E9020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E90301_2_014E9030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EA0881_2_014EA088
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E33C01_2_014E33C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E43981_2_014E4398
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E43A81_2_014E43A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E33B01_2_014E33B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E47581_2_014E4758
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E47681_2_014E4768
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E28D81_2_014E28D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E28E81_2_014E28E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E0BDD1_2_014E0BDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E5CD01_2_014E5CD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E3CB21_2_014E3CB2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E3F801_2_014E3F80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E3F901_2_014E3F90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E47D81_2_060E47D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E54A81_2_060E54A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E43601_2_060E4360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E40601_2_060E4060
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E3D401_2_060E3D40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E49881_2_060E4988
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E54981_2_060E5498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E43511_2_060E4351
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E40321_2_060E4032
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E40521_2_060E4052
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E3D301_2_060E3D30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E39381_2_060E3938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E39481_2_060E3948
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060E49781_2_060E4978
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060F62B81_2_060F62B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060F43101_2_060F4310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060F4C001_2_060F4C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060FFC481_2_060FFC48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060FC3001_2_060FC300
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060FC3281_2_060FC328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060F3FC01_2_060F3FC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060FFC381_2_060FFC38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_060F8C4D1_2_060F8C4D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004360CE4_2_004360CE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040509C4_2_0040509C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004051994_2_00405199
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043C2D04_2_0043C2D0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004404064_2_00440406
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040451D4_2_0040451D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004045FF4_2_004045FF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040458E4_2_0040458E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004046904_2_00404690
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00414A514_2_00414A51
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404C084_2_00404C08
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406C8E4_2_00406C8E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00415DF34_2_00415DF3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00416E5C4_2_00416E5C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00410FE44_2_00410FE4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00404DE520_2_00404DE5
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00404E5620_2_00404E56
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00404EC720_2_00404EC7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00404F5820_2_00404F58
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_0040BF6B20_2_0040BF6B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
              Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
              Source: RFQ.exe, 00000000.00000002.243855003.0000000002D21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ.exe
              Source: RFQ.exe, 00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJupiter.dll0 vs RFQ.exe
              Source: RFQ.exe, 00000000.00000002.243298865.000000000104A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ.exe
              Source: RFQ.exeBinary or memory string: OriginalFilenamevbbkCkSUbf.exe6 vs RFQ.exe
              Source: 00000000.00000002.244383737.0000000003D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.396920205.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000001.00000002.484599692.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.491811286.0000000005770000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: Process Memory Space: RFQ.exe PID: 6904, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: MSBuild.exe PID: 7044, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: MSBuild.exe PID: 7044, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
              Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 1.2.MSBuild.exe.5770000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 1.2.MSBuild.exe.5770000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 1.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.MSBuild.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.MSBuild.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 1.2.MSBuild.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.MSBuild.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 1.2.MSBuild.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 1.2.MSBuild.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 1.2.MSBuild.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/3@4/3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,4_2_004183B8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,4_2_00418842
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,4_2_00413C19
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004149B0 FindResourceW,SizeofResource,LoadResource,LockResource,4_2_004149B0
              Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.logJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\PobPkOXUDUEiYQIPiuaWZsZ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\89df898d-29a9-7a66-4fbe-e3c347fa42a9Jump to behavior
              Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: vbc.exe, 00000004.00000002.265026123.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp623B.tmp'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp5883.tmp'
              Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp623B.tmp'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp5883.tmp'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: RFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: MSBuild.exe, 00000001.00000003.242695727.0000000004A05000.00000004.00000001.sdmp, vbc.exe
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: MSBuild.exe, 00000001.00000003.242695727.0000000004A05000.00000004.00000001.sdmp, vbc.exe

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: RFQ.exe, CamuNlLCO8Ct8Xpqa5/G6Dp5VHrwwQwctUbu9.cs.Net Code: qVABGPVH5 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.RFQ.exe.8f0000.0.unpack, CamuNlLCO8Ct8Xpqa5/G6Dp5VHrwwQwctUbu9.cs.Net Code: qVABGPVH5 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004449B3
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_077E4CFB pushfd ; iretd 0_2_077E4CFC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00445190 push eax; ret 4_2_004451A4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00445190 push eax; ret 4_2_004451CC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00449EB4 push eax; ret 4_2_00449EC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00444F79 push ecx; ret 4_2_00444F89
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00412341 push ecx; ret 20_2_00412351
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00412360 push eax; ret 20_2_00412374
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 20_2_00412360 push eax; ret 20_2_0041239C
              Source: initial sampleStatic PE information: section name: .text entropy: 7.84647233321
              Source: RFQ.exe, D7ERh522ZiJJTUlVxJ/JwNU9sqCplA1ijahrl.csHigh entropy of concatenated method names: '.ctor', 'gAE016xS6', 'FEKtKxNYK', 'fElIC1b6R', 'XS6OFDNww', 'Wjr3Ci1VZ', 'TPnSnYXJa', 'EKgZ2KNH2', 'ul1DkZ8NV', 'mj6fK8G1U'
              Source: RFQ.exe, rM4Hw9UZVhXOJmFAGY/OMevCOaexSVQcZkyoX.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iBtu6yAO7I', 'mj6TPK8G1U', 'jccTnUa604', 'ukDTVsOCgI', 'O8DTWQEiJO', 'RYnTSNdhSY', 'c62TZ5wVBx', 'z5BTvQ9pIq'
              Source: RFQ.exe, CamuNlLCO8Ct8Xpqa5/G6Dp5VHrwwQwctUbu9.csHigh entropy of concatenated method names: '.ctor', 'qVABGPVH5', 'hySU9KfyE', 'gsswAk3lx', 'fc2xc3TPI', 'oKK3Z7Ftv2us2qLil7', 'GwZFaumALostYd1jPl', 'Gqk8YMTGF3KCTx5mQR', 'iWDRlKytH8lsU1OMHy', 'T65D0HpPO6LH2oMhUY'
              Source: RFQ.exe, rnKbHQ9qAX4g2bMAOS/o7PeBNxnnYosGye9OL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rdYukLTNGf', 'JPLJqAuOHp', 'L3tJ6jQdTL', 'GEGTFIRH4e', 'WChTGOhueN', 'CVcJTsBD0U', 'hauJJgN5Vb', 'mj6TPK8G1U'
              Source: RFQ.exe, DYlkiR3Bq2alBAqxDg/AaGSuKTRl8tFkwu5yr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'k8F6Mgr2dG', 'rGK6X88HoI', 'od76CZjEXt', 'nbF62bIhEB', 'yrs6BkRILt', 'HWB6UCNZh8', 'RGB6wlISii', 'xyq6xqwVCN'
              Source: RFQ.exe, pN4Xs0nD7SNQgQhVi9/zhGVysmZh4WamlqZr2.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH7N0mwMRc', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'rWwTMFZM86', 'CByTXNEVwI', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'bJKTChoBRU'
              Source: RFQ.exe, O2owhtO1jbRTplSgE3/oYiMrDiA9syvjPqcdj.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'WGluxH1cNa', 'RYnTSNdhSY', 'c62TZ5wVBx', 'mj6TPK8G1U', 'jccTnUa604', 'ukDTVsOCgI', 'O8DTWQEiJO', 'NfrTcaTxXs'
              Source: RFQ.exe, oHZb5RGEQQ66gvKvgq/nrmpJX58Lo3q8rNN7i.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'KRtqhuL1BE', 'FqiJyx6dFW', 'cCNJ1vbu03', 'GEGTFIRH4e', 'WChTGOhueN', 'mj6TPK8G1U', 'jccTnUa604', 'd1kqLc3o9p'
              Source: RFQ.exe, vpJqOa06FuxOwrw1NG/Pn8gtmA3NAf7seR0cc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dt2YqN8tTZ', 'TlvTw72Ety', 'V4TTxIlEnU', 'jWDTB0dUoH', 'lGmTU4blu6', 'bJKTChoBRU', 'av9T2IhyoE', 'z5BTvQ9pIq'
              Source: RFQ.exe, ypPbaNMq1VnKuMv98n/jo7kNkI6w3YaP7cleI.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'keGN509QkS', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'bJKTChoBRU', 'av9T2IhyoE', 'J0XNzG1vuU'
              Source: RFQ.exe, OybkA2KPMprX1c8RXT/r7hk3oykZvrEMCobqm.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ff4Y0Vvits', 'jWDTB0dUoH', 'lGmTU4blu6', 'rWwTMFZM86', 'CByTXNEVwI', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'z5BTvQ9pIq'
              Source: RFQ.exe, uhjaemlK2hcbFqkLQK/mlW26ufE5u0STKDeLn.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'X26YyXO4BW', 'TlvTw72Ety', 'V4TTxIlEnU', 'jWDTB0dUoH', 'lGmTU4blu6', 'bJKTChoBRU', 'av9T2IhyoE', 'z5BTvQ9pIq'
              Source: RFQ.exe, lL4IGd1nJkkcrGWWPg/qZW8CaV7HPlHlUWRrU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'XCJY4Ynfhj', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'G9jYRhDskT', 'QA4BByADhvPPUmF5058', 'gdnl3bAevZncl6JpUjB'
              Source: RFQ.exe, Xj0nrTovLdgtZKrEF1/mK15oeWwbwrn1WymFc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'etKYAeoXTW', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'bJKTChoBRU', 'av9T2IhyoE', 'rWwTMFZM86'
              Source: RFQ.exe, TnYTYnNDMMGyjJKyCG/yvHq6QFrr04VOSkwcv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'mdcYGrbixd', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'PYmYvKuP0H', 'SoBNjZC11dDoyWV8gMS', 'V4mnx0C7lX3NprrH7CZ', 'SJPwXwClycbWEbFy1t8', 'NdAqAvCELRe1MmWpWhL'
              Source: RFQ.exe, lDpIxTCBL1XQtTtkdn/BJQjRB8g20kk9gL5n8.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'JwJYn3eFyh', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'zhYYVSAwlI', 'RgioXBArtPFAlJuYATv', 'Tfe23SAgVXsPyZmApJp', 'pbvqKeAP4XdgbXUMBgW', 'vmGRP9AwsUc4Q3hVEfX'
              Source: RFQ.exe, rSVYKvpcErbmjshmQH/GdxU0Z7cqIfl2rNLlA.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'cCNNBvbu03', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'BHvNUy4PQW', 'i2YNwgn9UH', 'ScryjK6YqsigHCKmhy7', 'wwPVtG67o1dUxY3Ptb9', 'niwqiy6lBDcvhArt65x'
              Source: RFQ.exe, QQdUg448UhDXoqEMuo/BPD5J7wte1HXUUa7jN.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'MTtun6GfEL', 'mj6TPK8G1U', 'jccTnUa604', 'ukDTVsOCgI', 'O8DTWQEiJO', 'RYnTSNdhSY', 'c62TZ5wVBx', 'z5BTvQ9pIq'
              Source: RFQ.exe, xw5B63ZwntfXADeRbk/b1cIH9e4X9khAAxVI7.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EyhYl5ndx9', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'bJKTChoBRU', 'av9T2IhyoE', 'rWwTMFZM86'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, D7ERh522ZiJJTUlVxJ/JwNU9sqCplA1ijahrl.csHigh entropy of concatenated method names: '.ctor', 'gAE016xS6', 'FEKtKxNYK', 'fElIC1b6R', 'XS6OFDNww', 'Wjr3Ci1VZ', 'TPnSnYXJa', 'EKgZ2KNH2', 'ul1DkZ8NV', 'mj6fK8G1U'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, rM4Hw9UZVhXOJmFAGY/OMevCOaexSVQcZkyoX.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'iBtu6yAO7I', 'mj6TPK8G1U', 'jccTnUa604', 'ukDTVsOCgI', 'O8DTWQEiJO', 'RYnTSNdhSY', 'c62TZ5wVBx', 'z5BTvQ9pIq'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, DYlkiR3Bq2alBAqxDg/AaGSuKTRl8tFkwu5yr.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'k8F6Mgr2dG', 'rGK6X88HoI', 'od76CZjEXt', 'nbF62bIhEB', 'yrs6BkRILt', 'HWB6UCNZh8', 'RGB6wlISii', 'xyq6xqwVCN'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, rnKbHQ9qAX4g2bMAOS/o7PeBNxnnYosGye9OL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rdYukLTNGf', 'JPLJqAuOHp', 'L3tJ6jQdTL', 'GEGTFIRH4e', 'WChTGOhueN', 'CVcJTsBD0U', 'hauJJgN5Vb', 'mj6TPK8G1U'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, OybkA2KPMprX1c8RXT/r7hk3oykZvrEMCobqm.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ff4Y0Vvits', 'jWDTB0dUoH', 'lGmTU4blu6', 'rWwTMFZM86', 'CByTXNEVwI', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'z5BTvQ9pIq'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, CamuNlLCO8Ct8Xpqa5/G6Dp5VHrwwQwctUbu9.csHigh entropy of concatenated method names: '.ctor', 'qVABGPVH5', 'hySU9KfyE', 'gsswAk3lx', 'fc2xc3TPI', 'oKK3Z7Ftv2us2qLil7', 'GwZFaumALostYd1jPl', 'Gqk8YMTGF3KCTx5mQR', 'iWDRlKytH8lsU1OMHy', 'T65D0HpPO6LH2oMhUY'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, pN4Xs0nD7SNQgQhVi9/zhGVysmZh4WamlqZr2.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'qH7N0mwMRc', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'rWwTMFZM86', 'CByTXNEVwI', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'bJKTChoBRU'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, Xj0nrTovLdgtZKrEF1/mK15oeWwbwrn1WymFc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'etKYAeoXTW', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'bJKTChoBRU', 'av9T2IhyoE', 'rWwTMFZM86'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, vpJqOa06FuxOwrw1NG/Pn8gtmA3NAf7seR0cc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'dt2YqN8tTZ', 'TlvTw72Ety', 'V4TTxIlEnU', 'jWDTB0dUoH', 'lGmTU4blu6', 'bJKTChoBRU', 'av9T2IhyoE', 'z5BTvQ9pIq'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, oHZb5RGEQQ66gvKvgq/nrmpJX58Lo3q8rNN7i.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'KRtqhuL1BE', 'FqiJyx6dFW', 'cCNJ1vbu03', 'GEGTFIRH4e', 'WChTGOhueN', 'mj6TPK8G1U', 'jccTnUa604', 'd1kqLc3o9p'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, uhjaemlK2hcbFqkLQK/mlW26ufE5u0STKDeLn.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'X26YyXO4BW', 'TlvTw72Ety', 'V4TTxIlEnU', 'jWDTB0dUoH', 'lGmTU4blu6', 'bJKTChoBRU', 'av9T2IhyoE', 'z5BTvQ9pIq'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, xw5B63ZwntfXADeRbk/b1cIH9e4X9khAAxVI7.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'EyhYl5ndx9', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'bJKTChoBRU', 'av9T2IhyoE', 'rWwTMFZM86'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, ypPbaNMq1VnKuMv98n/jo7kNkI6w3YaP7cleI.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'keGN509QkS', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'bJKTChoBRU', 'av9T2IhyoE', 'J0XNzG1vuU'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, TnYTYnNDMMGyjJKyCG/yvHq6QFrr04VOSkwcv.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'mdcYGrbixd', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'PYmYvKuP0H', 'SoBNjZC11dDoyWV8gMS', 'V4mnx0C7lX3NprrH7CZ', 'SJPwXwClycbWEbFy1t8', 'NdAqAvCELRe1MmWpWhL'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, rSVYKvpcErbmjshmQH/GdxU0Z7cqIfl2rNLlA.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'cCNNBvbu03', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'BHvNUy4PQW', 'i2YNwgn9UH', 'ScryjK6YqsigHCKmhy7', 'wwPVtG67o1dUxY3Ptb9', 'niwqiy6lBDcvhArt65x'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, QQdUg448UhDXoqEMuo/BPD5J7wte1HXUUa7jN.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'MTtun6GfEL', 'mj6TPK8G1U', 'jccTnUa604', 'ukDTVsOCgI', 'O8DTWQEiJO', 'RYnTSNdhSY', 'c62TZ5wVBx', 'z5BTvQ9pIq'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, O2owhtO1jbRTplSgE3/oYiMrDiA9syvjPqcdj.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'WGluxH1cNa', 'RYnTSNdhSY', 'c62TZ5wVBx', 'mj6TPK8G1U', 'jccTnUa604', 'ukDTVsOCgI', 'O8DTWQEiJO', 'NfrTcaTxXs'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, lDpIxTCBL1XQtTtkdn/BJQjRB8g20kk9gL5n8.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'JwJYn3eFyh', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'zhYYVSAwlI', 'RgioXBArtPFAlJuYATv', 'Tfe23SAgVXsPyZmApJp', 'pbvqKeAP4XdgbXUMBgW', 'vmGRP9AwsUc4Q3hVEfX'
              Source: 0.0.RFQ.exe.8f0000.0.unpack, lL4IGd1nJkkcrGWWPg/qZW8CaV7HPlHlUWRrU.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'XCJY4Ynfhj', 'z5BTvQ9pIq', 'f3jT7GyRvA', 'HpZTdLXrAZ', 'tJlTAWUnR9', 'G9jYRhDskT', 'QA4BByADhvPPUmF5058', 'gdnl3bAevZncl6JpUjB'
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00403BC7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00403BC7
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              bar