Loading ...

Play interactive tourEdit tour

Analysis Report RFQ (2).exe

Overview

General Information

Sample Name:RFQ (2).exe
Analysis ID:295560
MD5:491b5032691babc841e83246767aa5be
SHA1:42558032f6a165980742ad5278ca0f2db0d5c4c2
SHA256:c2689bc7e035365f3aad0880c3f2526da7e6934882be23bef2b7fa20f4b04513
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ (2).exe (PID: 5968 cmdline: 'C:\Users\user\Desktop\RFQ (2).exe' MD5: 491B5032691BABC841E83246767AA5BE)
    • RFQ (2).exe (PID: 5692 cmdline: 'C:\Users\user\Desktop\RFQ (2).exe' MD5: 491B5032691BABC841E83246767AA5BE)
      • vbc.exe (PID: 6880 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8D3B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5176 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp844E.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • RFQ (2).exe (PID: 3120 cmdline: 'C:\Users\user\Desktop\RFQ (2).exe' 2 5692 7370359 MD5: 491B5032691BABC841E83246767AA5BE)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.910854432.0000000002B29000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x8e31f:$s2: _ScreenshotLogger
  • 0x8e86b:$s2: _ScreenshotLogger
  • 0x8e2ec:$s3: _PasswordStealer
  • 0x8e838:$s3: _PasswordStealer
00000001.00000002.910854432.0000000002B29000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x81222:$s2: _ScreenshotLogger
    • 0x811ef:$s3: _PasswordStealer
    00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 36 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.RFQ (2).exe.23b0000.3.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x480f3a:$s2: _ScreenshotLogger
        • 0x480f07:$s3: _PasswordStealer
        1.2.RFQ (2).exe.23b0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          1.2.RFQ (2).exe.23b0000.3.unpackHawkEyev9HawkEye v9 Payloadditekshen
          • 0x480f07:$str1: _PasswordStealer
          • 0x480f18:$str2: _KeyStrokeLogger
          • 0x480f3a:$str3: _ScreenshotLogger
          • 0x480f29:$str4: _ClipboardLogger
          • 0x480f4c:$str5: _WebCamLogger
          • 0x481061:$str6: _AntiVirusKiller
          • 0x48104f:$str7: _ProcessElevation
          • 0x481016:$str8: _DisableCommandPrompt
          • 0x48111c:$str9: _WebsiteBlocker
          • 0x48112c:$str9: _WebsiteBlocker
          • 0x481002:$str10: _DisableTaskManager
          • 0x48107d:$str11: _AntiDebugger
          • 0x481107:$str12: _WebsiteVisitorSites
          • 0x48102c:$str13: _DisableRegEdit
          • 0x48108b:$str14: _ExecutionDelay
          • 0x480fb0:$str15: _InstallStartupPersistance
          1.2.RFQ (2).exe.b00000.2.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0x7f33a:$s2: _ScreenshotLogger
          • 0x7f307:$s3: _PasswordStealer
          1.2.RFQ (2).exe.b00000.2.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            Click to see the 28 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: vbc.exe.6880.4.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
            Multi AV Scanner detection for domain / URLShow sources
            Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
            Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: RFQ (2).exeVirustotal: Detection: 30%Perma Link
            Source: RFQ (2).exeReversingLabs: Detection: 27%
            Source: 0.2.RFQ (2).exe.4290000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.RFQ (2).exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.2.RFQ (2).exe.4300000.3.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.RFQ (2).exe.24d0000.4.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.RFQ (2).exe.23b0000.3.unpackAvira: Label: TR/Dropper.Gen
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00408AFC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408AFC
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00405B98 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B98
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A1A7 FindFirstFileW,FindNextFileW,4_2_0040A1A7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,9_2_0040702D

            Networking:

            barindex
            May check the online IP address of the machineShow sources
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: unknownDNS query: name: bot.whatismyipaddress.com
            Source: global trafficTCP traffic: 192.168.2.4:49747 -> 54.39.139.67:587
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
            Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
            Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: global trafficTCP traffic: 192.168.2.4:49747 -> 54.39.139.67:587
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_0246A186 recv,1_2_0246A186
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
            Source: vbc.exe, 00000004.00000003.660270339.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
            Source: vbc.exe, 00000004.00000003.660270339.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.660619170.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.660619170.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exe, 00000004.00000002.661055384.00000000022B2000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000004.00000002.661055384.00000000022B2000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: 63.155.11.0.in-addr.arpa
            Source: RFQ (2).exe, 00000001.00000002.911275599.0000000002D26000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
            Source: RFQ (2).exe, 00000001.00000002.910844409.0000000002B23000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: RFQ (2).exe, 00000001.00000002.911131922.0000000002CDE000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
            Source: RFQ (2).exe, 00000001.00000002.911275599.0000000002D26000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: RFQ (2).exe, 00000001.00000002.914084556.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RFQ (2).exe, 00000001.00000002.911275599.0000000002D26000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: RFQ (2).exe, 00000001.00000002.911275599.0000000002D26000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
            Source: RFQ (2).exe, 00000001.00000002.911275599.0000000002D26000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RFQ (2).exeString found in binary or memory: http://pomf.cat/upload.php
            Source: RFQ (2).exe, 00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmp, RFQ (2).exe, 00000001.00000002.908777011.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: RFQ (2).exe, 00000001.00000002.910844409.0000000002B23000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: vbc.exe, 00000004.00000002.660572471.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000009.00000002.793616979.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: vbc.exe, 00000004.00000002.661055384.00000000022B2000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
            Source: RFQ (2).exe, 00000001.00000002.910844409.0000000002B23000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: vbc.exe, 00000004.00000003.659695216.00000000022B3000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.660270339.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 00000004.00000003.659695216.00000000022B3000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.660270339.00000000022B1000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: RFQ (2).exe, 00000001.00000002.911275599.0000000002D26000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: vbc.exe, 00000004.00000003.659695216.00000000022B3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/http

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000001.00000002.910854432.0000000002B29000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.908777011.000000000049F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.908630601.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.910031922.00000000024D2000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.909387420.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.645890176.0000000004302000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.909693579.00000000023B2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ (2).exe PID: 5692, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ (2).exe PID: 5968, type: MEMORY
            Source: Yara matchFile source: 1.2.RFQ (2).exe.23b0000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RFQ (2).exe.b00000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RFQ (2).exe.24d0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RFQ (2).exe.b00000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ (2).exe.4290000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.RFQ (2).exe.4300000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RFQ (2).exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected Keylogger GenericShow sources
            Source: Yara matchFile source: Process Memory Space: RFQ (2).exe PID: 5692, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RFQ (2).exe PID: 5968, type: MEMORY
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0040718E OpenClipboard,0_2_0040718E
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00424CA0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00424CA0
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00438EB8 GetKeyboardState,0_2_00438EB8

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000002.910854432.0000000002B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.908777011.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.908630601.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.910031922.00000000024D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.909387420.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.909387420.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 00000001.00000002.910220506.0000000002710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000000.00000002.645890176.0000000004302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.909693579.00000000023B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000009.00000002.793616979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: Process Memory Space: RFQ (2).exe PID: 5692, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: RFQ (2).exe PID: 5968, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RFQ (2).exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RFQ (2).exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.RFQ (2).exe.b00000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RFQ (2).exe.b00000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.RFQ (2).exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RFQ (2).exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RFQ (2).exe.2710000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RFQ (2).exe.b00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RFQ (2).exe.b00000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.2.RFQ (2).exe.4290000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.RFQ (2).exe.4290000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.RFQ (2).exe.2710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RFQ (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RFQ (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00456C4C NtdllDefWindowProc_A,0_2_00456C4C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0043BDF0 NtdllDefWindowProc_A,GetCapture,0_2_0043BDF0
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0042F1F0 NtdllDefWindowProc_A,0_2_0042F1F0
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004573C8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004573C8
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00457478 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00457478
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0044B81C GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044B81C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_00498159 NtCreateSection,1_2_00498159
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040A5A9
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0046ABCC0_2_0046ABCC
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00464D680_2_00464D68
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004513200_2_00451320
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0044B81C0_2_0044B81C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_00444A661_2_00444A66
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_004919761_2_00491976
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_0049713D1_2_0049713D
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_004E1D4E1_2_004E1D4E
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 1_2_024624781_2_02462478
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004360CE4_2_004360CE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040509C4_2_0040509C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004051994_2_00405199
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043C2D04_2_0043C2D0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004404064_2_00440406
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040451D4_2_0040451D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004045FF4_2_004045FF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040458E4_2_0040458E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004046904_2_00404690
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00414A514_2_00414A51
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404C084_2_00404C08
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406C8E4_2_00406C8E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00415DF34_2_00415DF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00416E5C4_2_00416E5C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404DE59_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404E569_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404EC79_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404F589_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_0040BF6B9_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 59 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 85 times
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: String function: 004043F8 appears 71 times
            Source: RFQ (2).exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: RFQ (2).exe, 00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ (2).exe
            Source: RFQ (2).exe, 00000000.00000002.645066426.000000000050F000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs RFQ (2).exe
            Source: RFQ (2).exe, 00000000.00000002.645308034.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ (2).exe
            Source: RFQ (2).exeBinary or memory string: OriginalFilename vs RFQ (2).exe
            Source: RFQ (2).exe, 00000001.00000002.913934069.0000000007ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ (2).exe
            Source: RFQ (2).exe, 00000001.00000002.910854432.0000000002B29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ (2).exe
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RFQ (2).exe
            Source: RFQ (2).exe, 00000001.00000002.909372471.0000000000740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RFQ (2).exe
            Source: RFQ (2).exe, 00000001.00000002.913689826.0000000007A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs RFQ (2).exe
            Source: RFQ (2).exe, 00000001.00000000.642848889.000000000050F000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs RFQ (2).exe
            Source: RFQ (2).exe, 00000002.00000000.644533172.000000000050F000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs RFQ (2).exe
            Source: RFQ (2).exeBinary or memory string: OriginalFilename$ vs RFQ (2).exe
            Source: 00000001.00000002.910854432.0000000002B29000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.645965737.000000000439F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.908777011.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.908630601.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.910031922.00000000024D2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.909387420.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.909387420.0000000000B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 00000001.00000002.910220506.0000000002710000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000000.00000002.645890176.0000000004302000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000001.00000002.909693579.00000000023B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000009.00000002.793616979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: Process Memory Space: RFQ (2).exe PID: 5692, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: RFQ (2).exe PID: 5692, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
            Source: Process Memory Space: RFQ (2).exe PID: 5968, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ (2).exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ (2).exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.RFQ (2).exe.b00000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ (2).exe.b00000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.RFQ (2).exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ (2).exe.24d0000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RFQ (2).exe.2710000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RFQ (2).exe.b00000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ (2).exe.b00000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.RFQ (2).exe.4290000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ (2).exe.4290000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.RFQ (2).exe.2710000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RFQ (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 1.2.RFQ (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 0.2.RFQ (2).exe.4300000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@3/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,4_2_004183B8
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00408C74 GetDiskFreeSpaceA,0_2_00408C74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,4_2_00413C19
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00414FF8 FindResourceA,0_2_00414FF8
            Source: C:\Users\user\Desktop\RFQ (2).exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\RFQ (2).exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
            Source: C:\Users\user\Desktop\RFQ (2).exeFile created: C:\Users\user\AppData\Local\Temp\48571d16-4143-e18d-6fb2-bf962000a339Jump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\RFQ (2).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\RFQ (2).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Users\user\Desktop\RFQ (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.660619170.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: RFQ (2).exeVirustotal: Detection: 30%
            Source: RFQ (2).exeReversingLabs: Detection: 27%
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ (2).exe 'C:\Users\user\Desktop\RFQ (2).exe'
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ (2).exe 'C:\Users\user\Desktop\RFQ (2).exe'
            Source: unknownProcess created: C:\Users\user\Desktop\RFQ (2).exe 'C:\Users\user\Desktop\RFQ (2).exe' 2 5692 7370359
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8D3B.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp844E.tmp'
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess created: C:\Users\user\Desktop\RFQ (2).exe 'C:\Users\user\Desktop\RFQ (2).exe' Jump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess created: C:\Users\user\Desktop\RFQ (2).exe 'C:\Users\user\Desktop\RFQ (2).exe' 2 5692 7370359Jump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8D3B.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp844E.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: RFQ (2).exeStatic file information: File size 1105408 > 1048576
            Source: C:\Users\user\Desktop\RFQ (2).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RFQ (2).exe, 00000001.00000002.913159099.0000000006631000.00000004.00000001.sdmp, vbc.exe

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\RFQ (2).exeUnpacked PE file: 1.2.RFQ (2).exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\RFQ (2).exeUnpacked PE file: 1.2.RFQ (2).exe.400000.0.unpack
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00476CF0 LoadLibraryA,GetProcAddress,CreateThread,WaitForSingleObjectEx,0_2_00476CF0
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004431F8 push 00443285h; ret 0_2_0044327D
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0045A0E4 push 0045A110h; ret 0_2_0045A108
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0045A154 push 0045A180h; ret 0_2_0045A178
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0045A11C push 0045A148h; ret 0_2_0045A140
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0045A1E4 push 0045A210h; ret 0_2_0045A208
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004441FC push ecx; mov dword ptr [esp], edx0_2_00444200
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00428278 push 004282A4h; ret 0_2_0042829C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00414230 push ecx; mov dword ptr [esp], edx0_2_00414235
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0042A2C0 push 0042A301h; ret 0_2_0042A2F9
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0044C2D4 push 0044C33Fh; ret 0_2_0044C337
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0042A344 push 0042A37Ch; ret 0_2_0042A374
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0042A30C push 0042A338h; ret 0_2_0042A330
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004703F8 push 00470424h; ret 0_2_0047041C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00414458 push ecx; mov dword ptr [esp], edx0_2_0041445D
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00432464 push 004324CEh; ret 0_2_004324C6
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0041843C push ecx; mov dword ptr [esp], edx0_2_0041843E
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004324D0 push 0043253Ah; ret 0_2_00432532
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00414574 push ecx; mov dword ptr [esp], edx0_2_00414579
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00444534 push 00444560h; ret 0_2_00444558
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0045C5E0 push 0045C613h; ret 0_2_0045C60B
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004705A8 push ecx; mov dword ptr [esp], edx0_2_004705AD
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004145B8 push ecx; mov dword ptr [esp], edx0_2_004145BD
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0042A668 push 0042A694h; ret 0_2_0042A68C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004766EC push 00476724h; ret 0_2_0047671C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004126F1 push 00412724h; ret 0_2_0041271C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004126F8 push 00412724h; ret 0_2_0041271C
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00406682 push 004066D5h; ret 0_2_004066CD
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00406684 push 004066D5h; ret 0_2_004066CD
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004126A0 push 004126EDh; ret 0_2_004126E5
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00406854 push 00406880h; ret 0_2_00406878
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0041E866 push 0041E90Eh; ret 0_2_0041E906
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00456CD4 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00456CD4
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0043E650 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043E650
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00428CD4 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00428CD4
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_004573C8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_004573C8
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00457478 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00457478
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_0043D4C4 IsIconic,GetCapture,0_2_0043D4C4
            Source: C:\Users\user\Desktop\RFQ (2).exeCode function: 0_2_00442BAC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_00442BAC
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\RFQ (2).exeProcess information set: NOOPENFILEERRORBOX