Loading ...

Play interactive tourEdit tour

Analysis Report NEW ROM 01-002361_PDF.exe

Overview

General Information

Sample Name:NEW ROM 01-002361_PDF.exe
Analysis ID:255292
MD5:2cb9093f20d6541f7cf7286f697ab0d2
SHA1:271a2e64eee0d7c2ef11e941408e0dfc1221f3cf
SHA256:3afef2476572d24d320f6d9b0aea76022bbc6690826544a69a0f3409d904e76a

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW ROM 01-002361_PDF.exe (PID: 7108 cmdline: 'C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe' MD5: 2CB9093F20D6541F7CF7286F697AB0D2)
    • schtasks.exe (PID: 5012 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW ROM 01-002361_PDF.exe (PID: 6196 cmdline: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe MD5: 2CB9093F20D6541F7CF7286F697AB0D2)
      • vbc.exe (PID: 5264 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2976 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3487.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.510623224.000000000310F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x87a66:$s1: HawkEye Keylogger
    • 0x87acf:$s1: HawkEye Keylogger
    • 0x80ea9:$s2: _ScreenshotLogger
    • 0x80e76:$s3: _PasswordStealer
    00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x78b90:$s2: _ScreenshotLogger
      • 0x790dc:$s2: _ScreenshotLogger
      • 0x78b5d:$s3: _PasswordStealer
      • 0x790a9:$s3: _PasswordStealer
      00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 26 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x147b0:$a1: logins.json
        • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x14f34:$s4: \mozsqlite3.dll
        • 0x137a4:$s5: SMTP Password
        18.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          18.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          18.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x87c2e:$s1: HawkEye Keylogger
            • 0x87c97:$s1: HawkEye Keylogger
            • 0x81071:$s2: _ScreenshotLogger
            • 0x8103e:$s3: _PasswordStealer
            Click to see the 10 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe' , ParentImage: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe, ParentProcessId: 7108, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp', ProcessId: 5012
            Sigma detected: Suspicious Process CreationShow sources
            Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe, ParentImage: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe, ParentProcessId: 6196, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp', ProcessId: 5264

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: vbc.exe.5264.4.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\&startupname&.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: NEW ROM 01-002361_PDF.exeJoe Sandbox ML: detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,4_2_0040938F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,4_2_00408CAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,18_2_0040702D
            Source: vbc.exe, 00000004.00000002.259138544.0000000000C39000.00000004.00000040.sdmpString found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000004.00000002.259138544.0000000000C39000.00000004.00000040.sdmpString found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.258499698.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.258499698.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmp, NEW ROM 01-002361_PDF.exe, 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: vbc.exe, 00000004.00000002.258461224.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000012.00000002.391639332.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: vbc.exe, 00000004.00000002.259138544.0000000000C39000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.250038649.0000000004726000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 7108, type: MEMORY
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,4_2_0040F078

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000002.250038649.0000000004726000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000003.00000002.514105764.00000000054D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000012.00000002.391639332.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 7108, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: NEW ROM 01-002361_PDF.exe
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB02FC NtQueryInformationProcess,0_2_02CB02FC
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB02AF NtQueryInformationProcess,0_2_02CB02AF
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB6AC9 NtQueryInformationProcess,0_2_02CB6AC9
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E21398 NtUnmapViewOfSection,3_2_05E21398
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040978A
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB22380_2_02CB2238
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB6BE80_2_02CB6BE8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB13100_2_02CB1310
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB10400_2_02CB1040
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB31000_2_02CB3100
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB18D30_2_02CB18D3
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB58810_2_02CB5881
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CBB98A0_2_02CBB98A
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB61BF0_2_02CB61BF
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB04D00_2_02CB04D0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB6BD80_2_02CB6BD8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB69000_2_02CB6900
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB52080_2_02CB5208
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB30E30_2_02CB30E3
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB102B0_2_02CB102B
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB51F90_2_02CB51F9
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB56890_2_02CB5689
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB56980_2_02CB5698
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CBB7280_2_02CBB728
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB54400_2_02CB5440
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB54300_2_02CB5430
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB35410_2_02CB3541
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB5B580_2_02CB5B58
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB5B680_2_02CB5B68
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB3F990_2_02CB3F99
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB3FA80_2_02CB3FA8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB1D080_2_02CB1D08
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_089668A00_2_089668A0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_08965D780_2_08965D78
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D543103_2_05D54310
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D562B83_2_05D562B8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D54C003_2_05D54C00
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D5FBC03_2_05D5FBC0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D590903_2_05D59090
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D590803_2_05D59080
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D5C2C83_2_05D5C2C8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D5C2B83_2_05D5C2B8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D53FC03_2_05D53FC0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D58B703_2_05D58B70
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05D58B603_2_05D58B60
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E215DB3_2_05E215DB
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E214DD3_2_05E214DD
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E214153_2_05E21415
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E207783_2_05E20778
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E20EA83_2_05E20EA8
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E212953_2_05E21295
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E2170B3_2_05E2170B
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E216673_2_05E21667
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E211743_2_05E21174
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E211343_2_05E21134
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E212D53_2_05E212D5
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 3_2_05E2125A3_2_05E2125A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0044900F4_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004042EB4_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004142814_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004102914_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004063BB4_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004156244_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0041668D4_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040477F4_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040487C4_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043589B4_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043BA9D4_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043FBD34_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404DE518_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404E5618_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404EC718_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404F5818_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040BF6B18_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
            Source: NEW ROM 01-002361_PDF.exeBinary or memory string: OriginalFilename vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAphrodite.dll4 vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.255852461.00000000091B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.255852461.00000000091B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.255570443.00000000090C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exeBinary or memory string: OriginalFilename vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508216474.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.515065816.0000000005E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs NEW ROM 01-002361_PDF.exe
            Source: NEW ROM 01-002361_PDF.exeBinary or memory string: OriginalFilenamenuetytcfNz.exe8 vs NEW ROM 01-002361_PDF.exe
            Source: 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.250038649.0000000004726000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000003.00000002.514105764.00000000054D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000012.00000002.391639332.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 7108, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: NEW ROM 01-002361_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@10/6@0/0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,4_2_00417BE9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,4_2_00418073
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,4_2_00413424
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,4_2_004141E0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile created: C:\Users\user\AppData\Roaming\&startupname&.exeJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\0afb590f-6441-4e30-9017-486274a19cc9
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp220D.tmpJump to behavior
            Source: NEW ROM 01-002361_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.258499698.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile read: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe 'C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3487.tmp'
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3487.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: NEW ROM 01-002361_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: NEW ROM 01-002361_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.510623224.000000000310F000.00000004.00000001.sdmp, vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004443B0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB65E8 push esp; retf 0_2_02CB65E9
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB6817 push 67B002CBh; retf 0_2_02CB6822
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB0FDB push es; retf 0_2_02CB0FE2
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB0FE3 push cs; retf 0_2_02CB0FEA
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB0FA7 push es; retf 0_2_02CB0FB6
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB101B push cs; retf 0_2_02CB101E
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_08964005 push ebp; ret 0_2_08964006
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00444975 push ecx; ret 4_2_00444985
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00444B90 push eax; ret 4_2_00444BA4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00444B90 push eax; ret 4_2_00444BCC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00448E74 push eax; ret 4_2_00448E81
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0042CF44 push ebx; retf 0042h4_2_0042CF49
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412341 push ecx; ret 18_2_00412351
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412360 push eax; ret 18_2_00412374
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412360 push eax; ret 18_2_0041239C
            Source: initial sampleStatic PE information: section name: .text entropy: 7.92689798234
            Source: initial sampleStatic PE information: section name: .text entropy: 7.92689798234
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile created: C:\Users\user\AppData\Roaming\&startupname&.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00443A61
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 7108, type: MEMORY
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmp, NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB3A58 rdtsc 0_2_02CB3A58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040978A
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 7112Thread sleep time: -57757s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 7128Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 7140Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 6320Thread sleep count: 145 > 30Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 6320Thread sleep time: -145000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 6180Thread sleep count: 153 > 30Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe TID: 6180Thread sleep time: -153000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,4_2_0040938F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,4_2_00408CAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,18_2_0040702D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0041829C memset,GetSystemInfo,4_2_0041829C
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.249487602.0000000002EEA000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeCode function: 0_2_02CB3A58 rdtsc 0_2_02CB3A58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040978A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004443B0
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeMemory written: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe base: 400000 value starts with: 4D5AJump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp220D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3BAF.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp3487.tmp'Jump to behavior
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508026404.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508026404.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508026404.0000000001A80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508026404.0000000001A80000.00000002.00000001.sdmpBinary or memory string: jProgram Manager
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,4_2_00418137
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,18_2_004073B6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004083A1 GetVersionExW,4_2_004083A1
            Source: C:\Users\user\Desktop\NEW ROM 01-002361_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avguard.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avgui.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: mbam.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.250038649.0000000004726000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 7108, type: MEMORY
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 00000003.00000002.510623224.000000000310F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.511822327.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.249481959.0000000004865000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.514105764.00000000054D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.391639332.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2976, type: MEMORY
            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.unpack, type: UNPACKEDPE
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword18_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword18_2_00402D74
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword18_2_004033B1
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.511822327.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.258499698.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.249481959.0000000004865000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.514105764.00000000054D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5264, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORY
            Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.54d0000.3.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: NEW ROM 01-002361_PDF.exe, 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: NEW ROM 01-002361_PDF.exe, 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000000.00000002.253640942.0000000005CC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.508320211.0000000003003000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.250038649.0000000004726000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.503456589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 6196, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: NEW ROM 01-002361_PDF.exe PID: 7108, type: MEMORY
            Source: Yara matchFile source: 3.2.NEW ROM 01-002361_PDF.exe.400000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation111Application Shimming1Application Shimming1Disable or Modify Tools1Credentials in Registry2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information11Credentials In Files1Account Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSystem Information Discovery19Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery251SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncProcess Discovery4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet