Loading ...

Play interactive tourEdit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:294566
MD5:7f91ed7d4b64c6751f43e7eb7c17a9a6
SHA1:77cfd27f09c6cb17038f200ed436306adc0da753
SHA256:76f4037b2878a1f9d902b58becabe775f8f99df45b2c5c80ac9eb61a8da4a255
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ.exe (PID: 5716 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: 7F91ED7D4B64C6751F43E7EB7C17A9A6)
    • RFQ.exe (PID: 3880 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: 7F91ED7D4B64C6751F43E7EB7C17A9A6)
      • vbc.exe (PID: 6796 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD9D1.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 768 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD019.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • RFQ.exe (PID: 6332 cmdline: 'C:\Users\user\Desktop\RFQ.exe' 2 3880 6145203 MD5: 7F91ED7D4B64C6751F43E7EB7C17A9A6)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.648277636.00000000043F2000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x80f3a:$s2: _ScreenshotLogger
  • 0x80f07:$s3: _PasswordStealer
00000000.00000002.648277636.00000000043F2000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x81222:$s2: _ScreenshotLogger
    • 0x811ef:$s3: _PasswordStealer
    00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000001.00000002.908605539.000000000049F000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x81222:$s2: _ScreenshotLogger
      • 0x811ef:$s3: _PasswordStealer
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.RFQ.exe.2440000.4.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x8113a:$s2: _ScreenshotLogger
      • 0x81107:$s3: _PasswordStealer
      1.2.RFQ.exe.2440000.4.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        1.2.RFQ.exe.2440000.4.unpackHawkEyev9HawkEye v9 Payloadditekshen
        • 0x81107:$str1: _PasswordStealer
        • 0x81118:$str2: _KeyStrokeLogger
        • 0x8113a:$str3: _ScreenshotLogger
        • 0x81129:$str4: _ClipboardLogger
        • 0x8114c:$str5: _WebCamLogger
        • 0x81261:$str6: _AntiVirusKiller
        • 0x8124f:$str7: _ProcessElevation
        • 0x81216:$str8: _DisableCommandPrompt
        • 0x8131c:$str9: _WebsiteBlocker
        • 0x8132c:$str9: _WebsiteBlocker
        • 0x81202:$str10: _DisableTaskManager
        • 0x8127d:$str11: _AntiDebugger
        • 0x81307:$str12: _WebsiteVisitorSites
        • 0x8122c:$str13: _DisableRegEdit
        • 0x8128b:$str14: _ExecutionDelay
        • 0x811b0:$str15: _InstallStartupPersistance
        1.2.RFQ.exe.2320000.2.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x8113a:$s2: _ScreenshotLogger
        • 0x81107:$s3: _PasswordStealer
        1.2.RFQ.exe.2320000.2.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 31 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: vbc.exe.6796.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
          Multi AV Scanner detection for domain / URLShow sources
          Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
          Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
          Source: http://pomf.cat/upload.phpVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ.exeReversingLabs: Detection: 39%
          Machine Learning detection for sampleShow sources
          Source: RFQ.exeJoe Sandbox ML: detected
          Source: 1.2.RFQ.exe.2440000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.2.RFQ.exe.23b0000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.2.RFQ.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.2.RFQ.exe.43f0000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.2.RFQ.exe.4370000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00408904 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408904
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00405A24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405A24
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00408904 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_00408904
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00405A24 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405A24
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A1A7 FindFirstFileW,FindNextFileW,3_2_0040A1A7

          Networking:

          barindex
          May check the online IP address of the machineShow sources
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: global trafficTCP traffic: 192.168.2.4:49754 -> 54.39.139.67:587
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
          Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
          Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficTCP traffic: 192.168.2.4:49754 -> 54.39.139.67:587
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0250A186 recv,1_2_0250A186
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
          Source: vbc.exe, 00000003.00000003.661076443.0000000002121000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
          Source: vbc.exe, 00000003.00000003.661076443.0000000002121000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.661332781.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.661332781.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 00000003.00000002.661790685.0000000002122000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000003.00000002.661790685.0000000002122000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
          Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: unknownDNS traffic detected: queries for: 64.89.4.0.in-addr.arpa
          Source: RFQ.exe, 00000001.00000002.913393512.0000000002DE6000.00000004.00000001.sdmp, RFQ.exe, 00000001.00000002.912986170.0000000002D9E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
          Source: RFQ.exe, 00000001.00000002.912438070.0000000002BE3000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: RFQ.exe, 00000001.00000002.912986170.0000000002D9E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
          Source: RFQ.exe, 00000001.00000002.920174596.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: RFQ.exe, 00000001.00000002.920174596.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: RFQ.exe, 00000001.00000002.920174596.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: RFQ.exe, 00000001.00000002.920174596.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
          Source: RFQ.exe, 00000001.00000002.920174596.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: RFQ.exeString found in binary or memory: http://pomf.cat/upload.php
          Source: RFQ.exe, 00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmp, RFQ.exe, 00000001.00000002.908605539.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: RFQ.exe, 00000001.00000002.912438070.0000000002BE3000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: vbc.exe, 00000003.00000002.661308163.0000000000193000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
          Source: vbc.exe, 0000000E.00000002.794499093.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: vbc.exe, 00000003.00000002.661790685.0000000002122000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
          Source: RFQ.exe, 00000001.00000002.912438070.0000000002BE3000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: vbc.exe, 00000003.00000003.661076443.0000000002121000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.660418647.0000000002123000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000003.00000003.661076443.0000000002121000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.660418647.0000000002123000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
          Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: RFQ.exe, 00000001.00000002.920174596.0000000008200000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: vbc.exe, 00000003.00000003.660418647.0000000002123000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/http

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 00000000.00000002.648277636.00000000043F2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.908605539.000000000049F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.909105648.0000000002320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.909290407.0000000002442000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.645379498.00000000004C7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.909191366.00000000023B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.908511822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.912460369.0000000002BE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 5716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3880, type: MEMORY
          Source: Yara matchFile source: 1.2.RFQ.exe.2440000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RFQ.exe.2320000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RFQ.exe.2320000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ.exe.4370000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RFQ.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ.exe.43f0000.3.unpack, type: UNPACKEDPE
          Yara detected Keylogger GenericShow sources
          Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 5716, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 3880, type: MEMORY
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00406F9E OpenClipboard,0_2_00406F9E
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042375C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_0042375C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00423DA0 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_00423DA0
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0043D67C GetKeyboardState,0_2_0043D67C

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.648277636.00000000043F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.908605539.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.909105648.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.909105648.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 00000001.00000002.909290407.0000000002442000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000001.645379498.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.910352168.00000000025D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000001.00000002.909191366.00000000023B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.908511822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000001.00000002.912460369.0000000002BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000E.00000002.794499093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: RFQ.exe PID: 5716, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: RFQ.exe PID: 3880, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.RFQ.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.RFQ.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.RFQ.exe.2320000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.RFQ.exe.2320000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.RFQ.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.RFQ.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 1.2.RFQ.exe.25d0000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.RFQ.exe.4370000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.RFQ.exe.4370000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.RFQ.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.2.RFQ.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 1.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 1.2.RFQ.exe.25d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 0.2.RFQ.exe.43f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0.2.RFQ.exe.43f0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004406C8 NtdllDefWindowProc_A,GetCapture,0_2_004406C8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045B738 NtdllDefWindowProc_A,0_2_0045B738
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00432154 NtdllDefWindowProc_A,0_2_00432154
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00450328 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00450328
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045BEB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045BEB4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045BF64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045BF64
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00498159 NtCreateSection,1_2_00498159
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_004406C8 NtdllDefWindowProc_A,GetCapture,2_2_004406C8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_0045B738 NtdllDefWindowProc_A,2_2_0045B738
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00432154 NtdllDefWindowProc_A,2_2_00432154
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00450328 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_00450328
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_0045BEB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0045BEB4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_0045BF64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0045BF64
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,3_2_0040A5A9
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004503280_2_00450328
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00411C270_2_00411C27
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00455E0C0_2_00455E0C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00444A661_2_00444A66
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004919761_2_00491976
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0049713D1_2_0049713D
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004E1D4E1_2_004E1D4E
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_025024781_2_02502478
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_004503282_2_00450328
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00411C272_2_00411C27
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00455E0C2_2_00455E0C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004360CE3_2_004360CE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040509C3_2_0040509C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004051993_2_00405199
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0043C2D03_2_0043C2D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004404063_2_00440406
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040451D3_2_0040451D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004045FF3_2_004045FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_0040458E3_2_0040458E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_004046903_2_00404690
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00414A513_2_00414A51
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00404C083_2_00404C08
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00406C8E3_2_00406C8E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00415DF33_2_00415DF3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00416E5C3_2_00416E5C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00410FE43_2_00410FE4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
          Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00403518 appears 44 times
          Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00404284 appears 148 times
          Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 004038E4 appears 54 times
          Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0040C16C appears 36 times
          Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00406650 appears 32 times
          Source: RFQ.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: RFQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: RFQ.exe, 00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ.exe
          Source: RFQ.exe, 00000000.00000002.647256379.0000000002490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ.exe
          Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
          Source: RFQ.exe, 00000001.00000002.919355538.0000000007D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ.exe
          Source: RFQ.exe, 00000001.00000002.908605539.000000000049F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ.exe
          Source: RFQ.exe, 00000001.00000002.918349392.0000000007940000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs RFQ.exe
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RFQ.exe
          Source: 00000000.00000002.648277636.00000000043F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.648421564.000000000448F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.908605539.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.909105648.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.909105648.0000000002320000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 00000001.00000002.909290407.0000000002442000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000001.645379498.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.910352168.00000000025D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000001.00000002.909191366.00000000023B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.908511822.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000001.00000002.912460369.0000000002BE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000E.00000002.794499093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: RFQ.exe PID: 5716, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: RFQ.exe PID: 3880, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: RFQ.exe PID: 3880, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
          Source: 1.2.RFQ.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.RFQ.exe.2440000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.RFQ.exe.2320000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.RFQ.exe.2320000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.RFQ.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.RFQ.exe.2320000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 1.2.RFQ.exe.25d0000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.RFQ.exe.4370000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.RFQ.exe.4370000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.RFQ.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.2.RFQ.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 1.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 1.2.RFQ.exe.25d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 0.2.RFQ.exe.43f0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.RFQ.exe.43f0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.2.RFQ.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.RFQ.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 1.2.RFQ.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 1.2.RFQ.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 1.2.RFQ.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 0.2.RFQ.exe.43f0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 1.2.RFQ.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 1.2.RFQ.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 1.2.RFQ.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 1.2.RFQ.exe.23b0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@3/2
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00420730 GetLastError,FormatMessageA,0_2_00420730
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00408A7C GetDiskFreeSpaceA,0_2_00408A7C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,3_2_00413C19
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004139A4 FindResourceA,0_2_004139A4
          Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
          Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Temp\4ebb2f24-c6be-8e3b-cece-ca16ce69803aJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.661332781.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: RFQ.exeReversingLabs: Detection: 39%
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe' 2 3880 6145203
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD9D1.tmp'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD019.tmp'
          Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe' Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe' 2 3880 6145203Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD9D1.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD019.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: RFQ.exeStatic file information: File size 1072640 > 1048576
          Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RFQ.exe, 00000001.00000003.646730127.0000000004443000.00000004.00000001.sdmp, vbc.exe
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RFQ.exe, 00000001.00000002.915268537.0000000002EAB000.00000004.00000001.sdmp, vbc.exe, 0000000E.00000002.794499093.0000000000400000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\RFQ.exeUnpacked PE file: 1.2.RFQ.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
          Detected unpacking (creates a PE file in dynamic memory)Show sources
          Source: C:\Users\user\Desktop\RFQ.exeUnpacked PE file: 1.2.RFQ.exe.2440000.4.unpack
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\RFQ.exeUnpacked PE file: 1.2.RFQ.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0046E5D4 LoadLibraryA,GetProcAddress,CreateThread,WaitForSingleObjectEx,0_2_0046E5D4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00447B14 push 00447BA1h; ret 0_2_00447B99
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0041002C push 0041008Dh; ret 0_2_00410085
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00436034 push 00436060h; ret 0_2_00436058
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00410090 push 00410291h; ret 0_2_00410289
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0043619C push 004361C8h; ret 0_2_004361C0
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0046224C push ecx; mov dword ptr [esp], ecx0_2_00462251
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0041C218 push ecx; mov dword ptr [esp], edx0_2_0041C21D
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E3FC push 0042E428h; ret 0_2_0042E420
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00410380 push 004103B0h; ret 0_2_004103A8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00410384 push 004103B0h; ret 0_2_004103A8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E46C push 0042E498h; ret 0_2_0042E490
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E434 push 0042E460h; ret 0_2_0042E458
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E4DC push 0042E508h; ret 0_2_0042E500
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E4A4 push 0042E4D0h; ret 0_2_0042E4C8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0041A4AC push ecx; mov dword ptr [esp], edx0_2_0041A4AE
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E55C push 0042E588h; ret 0_2_0042E580
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0040650E push 00406561h; ret 0_2_00406559
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00406510 push 00406561h; ret 0_2_00406559
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E514 push 0042E540h; ret 0_2_0042E538
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0046E644 push 0046E670h; ret 0_2_0046E668
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0046E67C push 0046E6A2h; ret 0_2_0046E69A
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004066E0 push 0040670Ch; ret 0_2_00406704
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00406758 push 00406784h; ret 0_2_0040677C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004287D0 push 00428811h; ret 0_2_00428809
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00428854 push 0042888Ch; ret 0_2_00428884
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042881C push 00428848h; ret 0_2_00428840
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00464964 push 00464990h; ret 0_2_00464988
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042697C push 00426A4Ch; ret 0_2_00426A44
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0044A9DC push 0044AA08h; ret 0_2_0044AA00
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00448AC0 push ecx; mov dword ptr [esp], edx0_2_00448AC4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045EAE0 push 0045EB18h; ret 0_2_0045EB10
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045B7C0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045B7C0
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00442644 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00442644
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004588B4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_004588B4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00442F28 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00442F28
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004271E4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004271E4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00441D9C IsIconic,GetCapture,0_2_00441D9C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045BEB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045BEB4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045BF64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045BF64
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_0045B7C0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_0045B7C0
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00442644 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00442644
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_004588B4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_004588B4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00442F28 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00442F28
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_004271E4 IsIconic,GetWindowPlacement,GetWindowRect,2_2_004271E4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_00441D9C IsIconic,GetCapture,2_2_00441D9C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_0045BEB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0045BEB4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 2_2_0045BF64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0045BF64
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004474C8 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004474C8
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior