Loading ...

Play interactive tourEdit tour

Analysis Report RQF.exe

Overview

General Information

Sample Name:RQF.exe
Analysis ID:295325
MD5:640e96c610bb396933412f55a0e046d6
SHA1:85b93904804752a3b88ead49058207b66dd67ec8
SHA256:c944ec2c1c332672384769d2abfbb4f298f9fcaa63b18b4094e1d9779fa82fe0
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • RQF.exe (PID: 4596 cmdline: 'C:\Users\user\Desktop\RQF.exe' MD5: 640E96C610BB396933412F55A0E046D6)
    • RQF.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\RQF.exe' MD5: 640E96C610BB396933412F55A0E046D6)
      • vbc.exe (PID: 6756 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6E6E.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5556 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp667B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • RQF.exe (PID: 1476 cmdline: 'C:\Users\user\Desktop\RQF.exe' 2 5652 4477234 MD5: 640E96C610BB396933412F55A0E046D6)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.933217992.0000000002A79000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x8e243:$s2: _ScreenshotLogger
  • 0x8e78f:$s2: _ScreenshotLogger
  • 0x8e210:$s3: _PasswordStealer
  • 0x8e75c:$s3: _PasswordStealer
00000003.00000002.933217992.0000000002A79000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000003.00000002.929281253.00000000021F2000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x80f3a:$s2: _ScreenshotLogger
    • 0x80f07:$s3: _PasswordStealer
    00000003.00000002.929281253.00000000021F2000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000003.00000001.663630915.000000000049F000.00000040.00020000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x81222:$s2: _ScreenshotLogger
      • 0x811ef:$s3: _PasswordStealer
      Click to see the 36 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.RQF.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x120222:$s2: _ScreenshotLogger
      • 0x1201ef:$s3: _PasswordStealer
      3.1.RQF.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        3.1.RQF.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
        • 0x1201ef:$str1: _PasswordStealer
        • 0x120200:$str2: _KeyStrokeLogger
        • 0x120222:$str3: _ScreenshotLogger
        • 0x120211:$str4: _ClipboardLogger
        • 0x120234:$str5: _WebCamLogger
        • 0x120349:$str6: _AntiVirusKiller
        • 0x120337:$str7: _ProcessElevation
        • 0x1202fe:$str8: _DisableCommandPrompt
        • 0x120404:$str9: _WebsiteBlocker
        • 0x120414:$str9: _WebsiteBlocker
        • 0x1202ea:$str10: _DisableTaskManager
        • 0x120365:$str11: _AntiDebugger
        • 0x1203ef:$str12: _WebsiteVisitorSites
        • 0x120314:$str13: _DisableRegEdit
        • 0x120373:$str14: _ExecutionDelay
        • 0x120298:$str15: _InstallStartupPersistance
        3.2.RQF.exe.9b0000.2.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x8113a:$s2: _ScreenshotLogger
        • 0x81107:$s3: _PasswordStealer
        3.2.RQF.exe.9b0000.2.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 31 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: RQF.exeAvira: detected
          Found malware configurationShow sources
          Source: RQF.exe.5652.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
          Multi AV Scanner detection for domain / URLShow sources
          Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
          Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: RQF.exeVirustotal: Detection: 47%Perma Link
          Source: RQF.exeReversingLabs: Detection: 43%
          Machine Learning detection for sampleShow sources
          Source: RQF.exeJoe Sandbox ML: detected
          Source: 2.2.RQF.exe.4310000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: 3.2.RQF.exe.22e0000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: 2.2.RQF.exe.42a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.2.RQF.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 3.2.RQF.exe.21f0000.3.unpackAvira: Label: TR/Dropper.Gen
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004088E4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_004088E4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004089E4 FindFirstFileA,GetLastError,2_2_004089E4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00405AA8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405AA8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_004088E4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_004088E4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_004089E4 FindFirstFileA,GetLastError,4_2_004089E4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00405AA8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00405AA8
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040A1A7 FindFirstFileW,FindNextFileW,5_2_0040A1A7

          Networking:

          barindex
          May check the online IP address of the machineShow sources
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: unknownDNS query: name: bot.whatismyipaddress.com
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 54.39.139.67:587
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
          Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficTCP traffic: 192.168.2.4:49743 -> 54.39.139.67:587
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_023CA186 recv,3_2_023CA186
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
          Source: vbc.exe, 00000005.00000003.683004416.0000000000AC1000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
          Source: vbc.exe, 00000005.00000003.683004416.0000000000AC1000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.683221503.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.683221503.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: vbc.exe, 00000005.00000002.683606445.0000000000AC2000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
          Source: vbc.exe, 00000005.00000002.683606445.0000000000AC2000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
          Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: unknownDNS traffic detected: queries for: 51.143.5.0.in-addr.arpa
          Source: RQF.exe, 00000003.00000002.936804661.0000000002C2E000.00000004.00000001.sdmp, RQF.exe, 00000003.00000002.937009453.0000000002C76000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
          Source: RQF.exe, 00000003.00000002.933202320.0000000002A73000.00000004.00000001.sdmp, RQF.exe, 00000003.00000002.936740333.0000000002BC0000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
          Source: RQF.exe, 00000003.00000002.936804661.0000000002C2E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
          Source: RQF.exe, 00000003.00000002.927419738.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: RQF.exe, 00000003.00000002.942889408.00000000081C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: RQF.exe, 00000003.00000002.927419738.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: RQF.exe, 00000003.00000002.927419738.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
          Source: RQF.exe, 00000003.00000002.927419738.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: RQF.exeString found in binary or memory: http://pomf.cat/upload.php
          Source: RQF.exe, 00000002.00000002.668472215.0000000004312000.00000040.00000001.sdmp, RQF.exe, 00000003.00000002.929281253.00000000021F2000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
          Source: RQF.exe, 00000003.00000002.933202320.0000000002A73000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
          Source: vbc.exe, 00000005.00000002.683548743.0000000000698000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
          Source: vbc.exe, 00000005.00000002.683194982.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
          Source: vbc.exe, 0000000E.00000002.816861478.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: vbc.exe, 00000005.00000002.683606445.0000000000AC2000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
          Source: RQF.exe, 00000003.00000002.933202320.0000000002A73000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
          Source: vbc.exe, 00000005.00000002.683548743.0000000000698000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
          Source: vbc.exe, 00000005.00000003.683004416.0000000000AC1000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.682555421.0000000000AC3000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000005.00000003.683004416.0000000000AC1000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.682555421.0000000000AC3000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
          Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: RQF.exe, 00000003.00000002.927419738.00000000007EC000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: vbc.exe, 00000005.00000002.683548743.0000000000698000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/st
          Source: vbc.exe, 00000005.00000002.683548743.0000000000698000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: vbc.exe, 00000005.00000002.683548743.0000000000698000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000005.00000002.683548743.0000000000698000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
          Source: vbc.exe, 00000005.00000003.682555421.0000000000AC3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/http

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected HawkEye KeyloggerShow sources
          Source: Yara matchFile source: 00000003.00000002.933217992.0000000002A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.929281253.00000000021F2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.663630915.000000000049F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.929989100.00000000022E2000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.668472215.0000000004312000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.668761190.00000000043AF000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.926210605.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.928502607.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.926468476.000000000049F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RQF.exe PID: 5652, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RQF.exe PID: 4596, type: MEMORY
          Source: Yara matchFile source: 3.1.RQF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RQF.exe.9b0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RQF.exe.22e0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RQF.exe.9b0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RQF.exe.42a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RQF.exe.4310000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RQF.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RQF.exe.21f0000.3.unpack, type: UNPACKEDPE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,5_2_0040FDCB
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004231B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,2_2_004231B4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_004237F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,4_2_004237F8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0043A904 GetKeyboardState,2_2_0043A904

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.933217992.0000000002A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.929281253.00000000021F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000001.663630915.000000000049F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.929989100.00000000022E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000002.00000002.668472215.0000000004312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000002.00000002.668761190.00000000043AF000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.926210605.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.928502607.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 00000003.00000002.928502607.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 00000003.00000002.933011284.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 00000003.00000002.926468476.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 0000000E.00000002.816861478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: Process Memory Space: RQF.exe PID: 5652, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: Process Memory Space: RQF.exe PID: 4596, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.1.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.1.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.RQF.exe.9b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.RQF.exe.9b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.RQF.exe.22e0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.RQF.exe.22e0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.RQF.exe.9b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.RQF.exe.9b0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 2.2.RQF.exe.42a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 2.2.RQF.exe.42a0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 3.2.RQF.exe.28a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 2.2.RQF.exe.4310000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 2.2.RQF.exe.4310000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.RQF.exe.28a0000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
          Source: 3.2.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: 3.2.RQF.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
          Source: 3.2.RQF.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00458630 NtdllDefWindowProc_A,2_2_00458630
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0043D83C NtdllDefWindowProc_A,GetCapture,2_2_0043D83C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00430980 NtdllDefWindowProc_A,2_2_00430980
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00458DAC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_00458DAC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00458E5C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_00458E5C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0044D220 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_0044D220
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_00498159 NtCreateSection,3_2_00498159
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00458630 NtdllDefWindowProc_A,4_2_00458630
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_0043D83C NtdllDefWindowProc_A,GetCapture,4_2_0043D83C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00430980 NtdllDefWindowProc_A,4_2_00430980
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00458DAC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_00458DAC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00458E5C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_00458E5C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_0044D220 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,4_2_0044D220
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,5_2_0040A5A9
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00452D042_2_00452D04
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0044D2202_2_0044D220
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_00444A663_2_00444A66
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_004919763_2_00491976
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_0049713D3_2_0049713D
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_004E1D4E3_2_004E1D4E
          Source: C:\Users\user\Desktop\RQF.exeCode function: 3_2_023C24783_2_023C2478
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00452D044_2_00452D04
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_0044D2204_2_0044D220
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004360CE5_2_004360CE
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040509C5_2_0040509C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004051995_2_00405199
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0043C2D05_2_0043C2D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004404065_2_00440406
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040451D5_2_0040451D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004045FF5_2_004045FF
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040458E5_2_0040458E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004046905_2_00404690
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00414A515_2_00414A51
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404C085_2_00404C08
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406C8E5_2_00406C8E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00415DF35_2_00415DF3
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00416E5C5_2_00416E5C
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00410FE45_2_00410FE4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 00403968 appears 84 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 00403D90 appears 34 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 0040432C appears 40 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 0040359C appears 74 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 0040C360 appears 36 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 004066D4 appears 32 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 00404308 appears 162 times
          Source: C:\Users\user\Desktop\RQF.exeCode function: String function: 00403DE4 appears 42 times
          Source: RQF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: RQF.exe, 00000002.00000002.668472215.0000000004312000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RQF.exe
          Source: RQF.exe, 00000002.00000002.667592006.00000000009D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RQF.exe
          Source: RQF.exeBinary or memory string: OriginalFilename vs RQF.exe
          Source: RQF.exe, 00000003.00000002.933217992.0000000002A79000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RQF.exe
          Source: RQF.exe, 00000003.00000002.941392535.0000000007D50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RQF.exe
          Source: RQF.exe, 00000003.00000002.939509574.0000000007900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs RQF.exe
          Source: RQF.exe, 00000003.00000002.927295451.00000000007B7000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs RQF.exe
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RQF.exe
          Source: RQF.exe, 00000003.00000002.926735860.0000000000530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RQF.exe
          Source: 00000003.00000002.933217992.0000000002A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.929281253.00000000021F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000001.663630915.000000000049F000.00000040.00020000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.929989100.00000000022E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000002.00000002.668472215.0000000004312000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000002.00000002.668761190.00000000043AF000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.926210605.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.928502607.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000003.00000002.928502607.00000000009B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 00000003.00000002.933011284.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 00000003.00000002.926468476.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000E.00000002.816861478.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: Process Memory Space: RQF.exe PID: 5652, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: RQF.exe PID: 5652, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
          Source: Process Memory Space: RQF.exe PID: 4596, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.1.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.1.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.RQF.exe.9b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.RQF.exe.9b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.RQF.exe.22e0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.RQF.exe.22e0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.RQF.exe.9b0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.RQF.exe.9b0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 2.2.RQF.exe.42a0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.RQF.exe.42a0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 3.2.RQF.exe.28a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 2.2.RQF.exe.4310000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 2.2.RQF.exe.4310000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.RQF.exe.28a0000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
          Source: 3.2.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.RQF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 3.2.RQF.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 3.2.RQF.exe.21f0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
          Source: 2.2.RQF.exe.4310000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 2.2.RQF.exe.4310000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 2.2.RQF.exe.4310000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
          Source: 2.2.RQF.exe.4310000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
          Source: 2.2.RQF.exe.4310000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 2.2.RQF.exe.4310000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
          Source: 2.2.RQF.exe.4310000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
          Source: 2.2.RQF.exe.4310000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
          Source: 2.2.RQF.exe.4310000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 2.2.RQF.exe.4310000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@5/3
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004202CC GetLastError,FormatMessageA,2_2_004202CC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00408C08 GetDiskFreeSpaceA,2_2_00408C08
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,5_2_00413C19
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00413AE0 FindResourceA,2_2_00413AE0
          Source: C:\Users\user\Desktop\RQF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\Desktop\RQF.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
          Source: C:\Users\user\Desktop\RQF.exeFile created: C:\Users\user\AppData\Local\Temp\701d94db-c899-585e-5907-ee05ac26af19Jump to behavior
          Source: C:\Users\user\Desktop\RQF.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\RQF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
          Source: C:\Users\user\Desktop\RQF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Users\user\Desktop\RQF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.683221503.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: RQF.exeVirustotal: Detection: 47%
          Source: RQF.exeReversingLabs: Detection: 43%
          Source: unknownProcess created: C:\Users\user\Desktop\RQF.exe 'C:\Users\user\Desktop\RQF.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RQF.exe 'C:\Users\user\Desktop\RQF.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RQF.exe 'C:\Users\user\Desktop\RQF.exe' 2 5652 4477234
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6E6E.tmp'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp667B.tmp'
          Source: C:\Users\user\Desktop\RQF.exeProcess created: C:\Users\user\Desktop\RQF.exe 'C:\Users\user\Desktop\RQF.exe' Jump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess created: C:\Users\user\Desktop\RQF.exe 'C:\Users\user\Desktop\RQF.exe' 2 5652 4477234Jump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp6E6E.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp667B.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\RQF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RQF.exe, 00000003.00000002.937040119.0000000002C97000.00000004.00000001.sdmp, vbc.exe
          Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RQF.exe, 00000003.00000002.933011284.00000000028A0000.00000004.00000001.sdmp, vbc.exe, 0000000E.00000002.816861478.0000000000400000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0044463C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,2_2_0044463C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00444C88 push 00444D15h; ret 2_2_00444D0D
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0041A174 push ecx; mov dword ptr [esp], edx2_2_0041A176
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0040C10A push 0040C17Bh; ret 2_2_0040C173
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0040C10C push 0040C17Bh; ret 2_2_0040C173
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0040C1EA push 0040C218h; ret 2_2_0040C210
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0040C1EC push 0040C218h; ret 2_2_0040C210
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00428274 push 004282A0h; ret 2_2_00428298
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00410220 push 00410281h; ret 2_2_00410279
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00428228 push 00428269h; ret 2_2_00428261
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00410284 push 00410485h; ret 2_2_0041047D
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004282AC push 004282E4h; ret 2_2_004282DC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004263D2 push 004264A4h; ret 2_2_0042649C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004263D4 push 004264A4h; ret 2_2_0042649C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00410488 push 004105A4h; ret 2_2_0041059C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0045E54C push 0045E578h; ret 2_2_0045E570
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00410578 push 004105A4h; ret 2_2_0041059C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004285D0 push 004285FCh; ret 2_2_004285F4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00406592 push 004065E5h; ret 2_2_004065DD
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00406594 push 004065E5h; ret 2_2_004065DD
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004265B4 push 004265E0h; ret 2_2_004265D8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0043A6A4 push ecx; mov dword ptr [esp], ecx2_2_0043A6A8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00406764 push 00406790h; ret 2_2_00406788
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0045A77C push 0045A7D6h; ret 2_2_0045A7CE
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004067DC push 00406808h; ret 2_2_00406800
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0042E7F0 push 0042E81Ch; ret 2_2_0042E814
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0042E860 push 0042E88Ch; ret 2_2_0042E884
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0042686C push 00426898h; ret 2_2_00426890
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00416818 push ecx; mov dword ptr [esp], edx2_2_0041681A
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0042E828 push 0042E854h; ret 2_2_0042E84C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0042E8D0 push 0042E8FCh; ret 2_2_0042E8F4
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0042E898 push 0042E8C4h; ret 2_2_0042E8BC
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004586B8 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_004586B8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0044009C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_0044009C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00426C3C IsIconic,GetWindowPlacement,GetWindowRect,2_2_00426C3C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00458DAC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_00458DAC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_00458E5C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_00458E5C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0043EF10 IsIconic,GetCapture,2_2_0043EF10
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_004557AC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_004557AC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0043F7B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_0043F7B8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_004586B8 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_004586B8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_0044009C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,4_2_0044009C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00426C3C IsIconic,GetWindowPlacement,GetWindowRect,4_2_00426C3C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00458DAC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_00458DAC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_00458E5C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_00458E5C
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_0043EF10 IsIconic,GetCapture,4_2_0043EF10
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_004557AC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,4_2_004557AC
          Source: C:\Users\user\Desktop\RQF.exeCode function: 4_2_0043F7B8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_0043F7B8
          Source: C:\Users\user\Desktop\RQF.exeCode function: 2_2_0044463C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,2_2_0044463C
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RQF.exeProcess information set: NOOPENFILEERRORBOX