Loading ...

Play interactive tourEdit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:296422
MD5:d3689ea11f7f9e48dd6bad9d74f42ecc
SHA1:2d25035f72f3cce6a0f40ef9dc5ab4bc4eece1c5
SHA256:7dfdce0a99eabe706a8f617d20f54ab7c933fd0e702dffed576ea3d5d74aea9d
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: D3689EA11F7F9E48DD6BAD9D74F42ECC)
    • RFQ.exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: D3689EA11F7F9E48DD6BAD9D74F42ECC)
      • vbc.exe (PID: 4780 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC897.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4048 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCBFE.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • RFQ.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\RFQ.exe' 2 7032 7054156 MD5: D3689EA11F7F9E48DD6BAD9D74F42ECC)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x6b8fa:$a1: logins.json
  • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x6c07e:$s4: \mozsqlite3.dll
  • 0x6a8ee:$s5: SMTP Password
00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000003.00000002.938460125.0000000006691000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000003.00000002.938460125.0000000006691000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 36 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.RFQ.exe.7f0000.2.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0x8113a:$s2: _ScreenshotLogger
          • 0x81107:$s3: _PasswordStealer
          3.2.RFQ.exe.7f0000.2.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            3.2.RFQ.exe.7f0000.2.raw.unpackHawkEyev9HawkEye v9 Payloadditekshen
            • 0x81107:$str1: _PasswordStealer
            • 0x81118:$str2: _KeyStrokeLogger
            • 0x8113a:$str3: _ScreenshotLogger
            • 0x81129:$str4: _ClipboardLogger
            • 0x8114c:$str5: _WebCamLogger
            • 0x81261:$str6: _AntiVirusKiller
            • 0x8124f:$str7: _ProcessElevation
            • 0x81216:$str8: _DisableCommandPrompt
            • 0x8131c:$str9: _WebsiteBlocker
            • 0x8132c:$str9: _WebsiteBlocker
            • 0x81202:$str10: _DisableTaskManager
            • 0x8127d:$str11: _AntiDebugger
            • 0x81307:$str12: _WebsiteVisitorSites
            • 0x8122c:$str13: _DisableRegEdit
            • 0x8128b:$str14: _ExecutionDelay
            • 0x811b0:$str15: _InstallStartupPersistance
            3.2.RFQ.exe.2280000.3.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x480f3a:$s2: _ScreenshotLogger
            • 0x480f07:$s3: _PasswordStealer
            3.2.RFQ.exe.2280000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 31 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: vbc.exe.4048.11.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv"], "Version": ""}
              Multi AV Scanner detection for domain / URLShow sources
              Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
              Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: RFQ.exeVirustotal: Detection: 23%Perma Link
              Source: RFQ.exeReversingLabs: Detection: 41%
              Machine Learning detection for sampleShow sources
              Source: RFQ.exeJoe Sandbox ML: detected
              Source: 3.2.RFQ.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 3.2.RFQ.exe.2310000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 3.2.RFQ.exe.2280000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.2.RFQ.exe.2900000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 0.2.RFQ.exe.2970000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00408868 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408868
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00405A28 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405A28
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_00408868 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_00408868
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_00405A28 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00405A28
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040A1A7 FindFirstFileW,FindNextFileW,6_2_0040A1A7

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: global trafficTCP traffic: 192.168.2.4:49755 -> 54.39.139.67:587
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: Joe Sandbox ViewIP Address: 54.39.139.67 54.39.139.67
              Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
              Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
              Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
              Source: global trafficTCP traffic: 192.168.2.4:49755 -> 54.39.139.67:587
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_0240A186 recv,3_2_0240A186
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: vbc.exe, 00000006.00000003.701016210.0000000002211000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
              Source: vbc.exe, 00000006.00000003.701016210.0000000002211000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.701417564.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.701417564.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000006.00000002.703358474.0000000002212000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000002.703358474.0000000002212000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: 159.228.9.0.in-addr.arpa
              Source: RFQ.exe, 00000003.00000002.934715807.0000000002D3E000.00000004.00000001.sdmp, RFQ.exe, 00000003.00000002.935202043.0000000002D86000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
              Source: RFQ.exe, 00000003.00000002.932899002.0000000002B83000.00000004.00000001.sdmp, RFQ.exe, 00000003.00000002.935202043.0000000002D86000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: RFQ.exe, 00000003.00000002.934715807.0000000002D3E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
              Source: RFQ.exe, 00000003.00000002.929788852.00000000009A0000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: RFQ.exe, 00000003.00000002.939398084.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: RFQ.exe, 00000003.00000002.939398084.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0
              Source: RFQ.exe, 00000003.00000002.935202043.0000000002D86000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: RFQ.exe, 00000003.00000002.929697497.000000000090B000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: RFQ.exe, 00000003.00000002.939398084.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.co
              Source: RFQ.exe, 00000003.00000002.929697497.000000000090B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: RFQ.exeString found in binary or memory: http://pomf.cat/upload.php
              Source: RFQ.exe, 00000000.00000002.676284545.0000000002972000.00000040.00000001.sdmp, RFQ.exe, 00000003.00000002.928582311.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: RFQ.exe, 00000003.00000002.932899002.0000000002B83000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: vbc.exe, 00000006.00000002.701393249.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 0000000B.00000002.833002255.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000006.00000002.703358474.0000000002212000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
              Source: RFQ.exe, 00000003.00000002.932899002.0000000002B83000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000006.00000003.701016210.0000000002211000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.699113330.0000000002213000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000006.00000003.701016210.0000000002211000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.699113330.0000000002213000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: RFQ.exe, 00000003.00000002.929697497.000000000090B000.00000004.00000020.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000006.00000003.699113330.0000000002213000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/http

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000003.00000002.928582311.000000000049F000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.928489150.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.676284545.0000000002972000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.932934100.0000000002B89000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.928933596.00000000007F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.676420482.0000000002A0F000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.929993236.0000000002312000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000001.667994741.00000000004C7000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.929922075.0000000002282000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 7032, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6960, type: MEMORY
              Source: Yara matchFile source: 3.2.RFQ.exe.7f0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RFQ.exe.2280000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RFQ.exe.7f0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RFQ.exe.2310000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.RFQ.exe.2900000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.RFQ.exe.2970000.3.unpack, type: UNPACKEDPE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,6_2_0040FDCB
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00422FA4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00422FA4
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_004235E8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,4_2_004235E8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00435E10 GetKeyboardState,0_2_00435E10

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000003.00000002.928582311.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000003.00000002.928489150.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.676284545.0000000002972000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000003.00000002.932934100.0000000002B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000003.00000002.928933596.00000000007F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000003.00000002.928933596.00000000007F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000000.00000002.676420482.0000000002A0F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0000000B.00000002.833002255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000003.00000002.929993236.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000003.00000001.667994741.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000003.00000002.929922075.0000000002282000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: RFQ.exe PID: 7032, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: RFQ.exe PID: 6960, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.2.RFQ.exe.7f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.2.RFQ.exe.7f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 3.2.RFQ.exe.2280000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.2.RFQ.exe.2280000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 3.2.RFQ.exe.7f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.2.RFQ.exe.7f0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 3.2.RFQ.exe.2310000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.2.RFQ.exe.2310000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.RFQ.exe.2900000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.RFQ.exe.2900000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 3.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 3.2.RFQ.exe.2a90000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 3.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 3.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 3.2.RFQ.exe.2a90000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.RFQ.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.RFQ.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00438E5C NtdllDefWindowProc_A,GetCapture,0_2_00438E5C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00453BF0 NtdllDefWindowProc_A,0_2_00453BF0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045436C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045436C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045441C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045441C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004487E0 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004487E0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042CAB0 NtdllDefWindowProc_A,0_2_0042CAB0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_00498159 NtCreateSection,3_2_00498159
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_00438E5C NtdllDefWindowProc_A,GetCapture,4_2_00438E5C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_00453BF0 NtdllDefWindowProc_A,4_2_00453BF0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0045436C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045436C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0045441C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045441C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_004487E0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,4_2_004487E0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0042CAB0 NtdllDefWindowProc_A,4_2_0042CAB0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,6_2_0040A5A9
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0044E2C40_2_0044E2C4
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004487E00_2_004487E0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_00444A663_2_00444A66
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_004919763_2_00491976
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_0049713D3_2_0049713D
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_004E1D4E3_2_004E1D4E
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 3_2_024024783_2_02402478
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0044E2C44_2_0044E2C4
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_004487E04_2_004487E0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004360CE6_2_004360CE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040509C6_2_0040509C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004051996_2_00405199
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043C2D06_2_0043C2D0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004404066_2_00440406
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040451D6_2_0040451D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004045FF6_2_004045FF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040458E6_2_0040458E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004046906_2_00404690
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00414A516_2_00414A51
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404C086_2_00404C08
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406C8E6_2_00406C8E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00415DF36_2_00415DF3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00416E5C6_2_00416E5C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00410FE46_2_00410FE4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
              Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0040351C appears 44 times
              Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00404288 appears 144 times
              Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 004038E8 appears 58 times
              Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 00406654 appears 32 times
              Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0040C0D0 appears 36 times
              Source: C:\Users\user\Desktop\RFQ.exeCode function: String function: 0040689C appears 34 times
              Source: RFQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: RFQ.exe, 00000000.00000000.661935161.0000000000503000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs RFQ.exe
              Source: RFQ.exe, 00000000.00000002.676284545.0000000002972000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ.exe
              Source: RFQ.exe, 00000000.00000002.671959640.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ.exe
              Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RFQ.exe
              Source: RFQ.exe, 00000003.00000002.929679300.00000000008F1000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs RFQ.exe
              Source: RFQ.exe, 00000003.00000002.928582311.000000000049F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs RFQ.exe
              Source: RFQ.exe, 00000003.00000000.666225447.0000000000503000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs RFQ.exe
              Source: RFQ.exe, 00000003.00000002.939081497.0000000007D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ.exe
              Source: RFQ.exe, 00000003.00000002.938841632.0000000007940000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs RFQ.exe
              Source: RFQ.exe, 00000004.00000002.928926372.0000000000B60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ.exe
              Source: RFQ.exe, 00000004.00000002.928657755.0000000000503000.00000004.00020000.sdmpBinary or memory string: OriginalFilename$ vs RFQ.exe
              Source: RFQ.exeBinary or memory string: OriginalFilename$ vs RFQ.exe
              Source: 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000003.00000002.928582311.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.928489150.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.676284545.0000000002972000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.932934100.0000000002B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.928933596.00000000007F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.928933596.00000000007F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000000.00000002.676420482.0000000002A0F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.833002255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000003.00000002.929993236.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000001.667994741.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.929922075.0000000002282000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: RFQ.exe PID: 7032, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: RFQ.exe PID: 7032, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
              Source: Process Memory Space: RFQ.exe PID: 6960, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RFQ.exe.7f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RFQ.exe.7f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 3.2.RFQ.exe.2280000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RFQ.exe.2280000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 3.2.RFQ.exe.7f0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RFQ.exe.7f0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 3.2.RFQ.exe.2310000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RFQ.exe.2310000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.RFQ.exe.2900000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.RFQ.exe.2900000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 3.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.1.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 11.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 3.2.RFQ.exe.2a90000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 3.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 3.2.RFQ.exe.2a90000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.RFQ.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.RFQ.exe.2970000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.RFQ.exe.2970000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.RFQ.exe.2970000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.RFQ.exe.2970000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.RFQ.exe.2970000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RFQ.exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RFQ.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RFQ.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RFQ.exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RFQ.exe.2310000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RFQ.exe.2310000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.RFQ.exe.2310000.4.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.RFQ.exe.2310000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 3.2.RFQ.exe.2310000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.RFQ.exe.2970000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 0.2.RFQ.exe.2970000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 3.2.RFQ.exe.2310000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 3.2.RFQ.exe.2310000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 3.2.RFQ.exe.2310000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 3.2.RFQ.exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 3.2.RFQ.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 3.2.RFQ.exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.RFQ.exe.2970000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 3.2.RFQ.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 3.2.RFQ.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 3.2.RFQ.exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 0.2.RFQ.exe.2970000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 0.2.RFQ.exe.2970000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 0.2.RFQ.exe.2970000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 3.2.RFQ.exe.2310000.4.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@3/3
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004200BC GetLastError,FormatMessageA,0_2_004200BC
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004089E0 GetDiskFreeSpaceA,0_2_004089E0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,6_2_00413C19
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00413908 FindResourceA,0_2_00413908
              Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
              Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Temp\5be6f947-0a42-fb06-cdcc-7277d76e4547Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\RFQ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.701417564.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: RFQ.exeVirustotal: Detection: 23%
              Source: RFQ.exeReversingLabs: Detection: 41%
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe' 2 7032 7054156
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC897.tmp'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCBFE.tmp'
              Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe' Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe' 2 7032 7054156Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpC897.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpCBFE.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exe
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RFQ.exe, 00000003.00000002.932681617.0000000002A90000.00000004.00000001.sdmp, vbc.exe, 0000000B.00000002.833002255.0000000000400000.00000040.00000001.sdmp
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00460524 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateThread,WaitForSingleObjectEx,0_2_00460524
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00440248 push 004402D5h; ret 0_2_004402CD
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004260E4 push 004261B4h; ret 0_2_004261AC
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0041C09C push ecx; mov dword ptr [esp], edx0_2_0041C0A1
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045C114 push 0045C147h; ret 0_2_0045C13F
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004401E0 push 00440246h; ret 0_2_0044023E
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004101F8 push 00410314h; ret 0_2_0041030C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00456254 push 004562C0h; ret 0_2_004562B8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004262C4 push 004262F0h; ret 0_2_004262E8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004282E0 push 0042830Ch; ret 0_2_00428304
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004102E8 push 00410314h; ret 0_2_0041030C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0041A330 push ecx; mov dword ptr [esp], edx0_2_0041A332
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00456424 push 00456450h; ret 0_2_00456448
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042657C push 004265A8h; ret 0_2_004265A0
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00406512 push 00406565h; ret 0_2_0040655D
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00406514 push 00406565h; ret 0_2_0040655D
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00460650 push 00460676h; ret 0_2_0046066E
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00460618 push 00460644h; ret 0_2_0046063C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_004066E4 push 00406710h; ret 0_2_00406708
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00406774 push 004067A0h; ret 0_2_00406798
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045A704 push ecx; mov dword ptr [esp], ecx0_2_0045A709
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00426714 push 00426740h; ret 0_2_00426738
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E8A8 push 0042E901h; ret 0_2_0042E8F9
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E930 push 0042E968h; ret 0_2_0042E960
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042E9C4 push 0042E9F0h; ret 0_2_0042E9E8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00416984 push ecx; mov dword ptr [esp], edx0_2_00416986
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042AAEC push 0042AB18h; ret 0_2_0042AB10
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042AB5C push 0042AB88h; ret 0_2_0042AB80
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00412B74 push ecx; mov dword ptr [esp], edx0_2_00412B79
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042AB24 push 0042AB50h; ret 0_2_0042AB48
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042EB2C push 0042EB58h; ret 0_2_0042EB50
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042ABCC push 0042ABF8h; ret 0_2_0042ABF0
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00453C78 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00453C78
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045436C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045436C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0045441C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045441C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0043A530 IsIconic,GetCapture,0_2_0043A530
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0042694C IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042694C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00450D6C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00450D6C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0043ADD8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043ADD8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0043B6BC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043B6BC
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_00453C78 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_00453C78
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0045436C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045436C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0045441C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045441C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0043A530 IsIconic,GetCapture,4_2_0043A530
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0042694C IsIconic,GetWindowPlacement,GetWindowRect,4_2_0042694C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_00450D6C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,4_2_00450D6C
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0043ADD8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_0043ADD8
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 4_2_0043B6BC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,4_2_0043B6BC
              Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_0043FC18 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0043FC18
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOX