Loading ...

Play interactive tourEdit tour

Analysis Report BID (ITB).exe

Overview

General Information

Sample Name:BID (ITB).exe
Analysis ID:298638
MD5:252e0a3b8da887d3da7ff844b1864be2
SHA1:614228df1144b4569adec014d365be5f7421102e
SHA256:39ae83af1cd715dadb50a266b91587dab04fffa94d2aa923c03cff634265f9ec
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • BID (ITB).exe (PID: 6512 cmdline: 'C:\Users\user\Desktop\BID (ITB).exe' MD5: 252E0A3B8DA887D3DA7FF844B1864BE2)
    • BID (ITB).exe (PID: 4708 cmdline: 'C:\Users\user\Desktop\BID (ITB).exe' MD5: 252E0A3B8DA887D3DA7FF844B1864BE2)
      • vbc.exe (PID: 5356 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDE91.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7152 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDB22.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • BID (ITB).exe (PID: 5116 cmdline: 'C:\Users\user\Desktop\BID (ITB).exe' 2 4708 7258109 MD5: 252E0A3B8DA887D3DA7FF844B1864BE2)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.597113090.0000000006671000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000002.00000002.597113090.0000000006671000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x6b8fa:$a1: logins.json
      • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x6c07e:$s4: \mozsqlite3.dll
      • 0x6a8ee:$s5: SMTP Password
      00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 36 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.BID (ITB).exe.21e0000.2.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0x8113a:$s2: _ScreenshotLogger
          • 0x81107:$s3: _PasswordStealer
          2.2.BID (ITB).exe.21e0000.2.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            2.2.BID (ITB).exe.21e0000.2.raw.unpackHawkEyev9HawkEye v9 Payloadditekshen
            • 0x81107:$str1: _PasswordStealer
            • 0x81118:$str2: _KeyStrokeLogger
            • 0x8113a:$str3: _ScreenshotLogger
            • 0x81129:$str4: _ClipboardLogger
            • 0x8114c:$str5: _WebCamLogger
            • 0x81261:$str6: _AntiVirusKiller
            • 0x8124f:$str7: _ProcessElevation
            • 0x81216:$str8: _DisableCommandPrompt
            • 0x8131c:$str9: _WebsiteBlocker
            • 0x8132c:$str9: _WebsiteBlocker
            • 0x81202:$str10: _DisableTaskManager
            • 0x8127d:$str11: _AntiDebugger
            • 0x81307:$str12: _WebsiteVisitorSites
            • 0x8122c:$str13: _DisableRegEdit
            • 0x8128b:$str14: _ExecutionDelay
            • 0x811b0:$str15: _InstallStartupPersistance
            19.2.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x131b0:$a1: logins.json
            • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x13934:$s4: \mozsqlite3.dll
            • 0x121a4:$s5: SMTP Password
            19.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              Click to see the 28 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: BID (ITB).exe.4708.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["browserpv", "mailpv", "WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for domain / URLShow sources
              Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
              Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: BID (ITB).exeVirustotal: Detection: 28%Perma Link
              Source: BID (ITB).exeReversingLabs: Detection: 50%
              Machine Learning detection for sampleShow sources
              Source: BID (ITB).exeJoe Sandbox ML: detected
              Source: 1.2.BID (ITB).exe.2a70000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.BID (ITB).exe.2300000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.BID (ITB).exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.BID (ITB).exe.2270000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_004089E8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_004089E8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00408AE8 FindFirstFileA,GetLastError,1_2_00408AE8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00405B0C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405B0C
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_004089E8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,3_2_004089E8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_00408AE8 FindFirstFileA,GetLastError,3_2_00408AE8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_00405B0C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_00405B0C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A1A7 FindFirstFileW,FindNextFileW,4_2_0040A1A7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,19_2_0040702D

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: global trafficTCP traffic: 192.168.2.6:49727 -> 54.39.139.67:587
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: Joe Sandbox ViewIP Address: 54.39.139.67 54.39.139.67
              Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
              Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
              Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
              Source: global trafficTCP traffic: 192.168.2.6:49727 -> 54.39.139.67:587
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_023FA186 recv,2_2_023FA186
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: vbc.exe, 00000004.00000002.345733015.0000000000AD4000.00000004.00000001.sdmpString found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000004.00000002.345733015.0000000000AD4000.00000004.00000001.sdmpString found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.345328835.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.345328835.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000004.00000003.344790807.0000000000AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000004.00000003.344790807.0000000000AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000004.00000003.344845347.0000000000AD3000.00000004.00000001.sdmpString found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000004.00000003.344845347.0000000000AD3000.00000004.00000001.sdmpString found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 41.140.13.0.in-addr.arpa
              Source: BID (ITB).exe, 00000002.00000002.594343601.0000000002CE6000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
              Source: BID (ITB).exe, 00000002.00000002.593551856.0000000002AE3000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: BID (ITB).exe, 00000002.00000002.594173080.0000000002C9E000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
              Source: BID (ITB).exe, 00000002.00000002.598096422.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comod
              Source: BID (ITB).exe, 00000002.00000002.594343601.0000000002CE6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: BID (ITB).exe, 00000002.00000002.598096422.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: BID (ITB).exe, 00000002.00000002.594343601.0000000002CE6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: BID (ITB).exe, 00000002.00000002.594343601.0000000002CE6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: BID (ITB).exe, 00000002.00000002.598096422.0000000008200000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.co
              Source: BID (ITB).exe, 00000002.00000002.594343601.0000000002CE6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: BID (ITB).exeString found in binary or memory: http://pomf.cat/upload.php
              Source: BID (ITB).exe, 00000001.00000002.325883859.0000000002A72000.00000040.00000001.sdmp, BID (ITB).exe, 00000002.00000002.588814290.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: BID (ITB).exe, 00000002.00000002.593551856.0000000002AE3000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
              Source: vbc.exe, 00000004.00000002.345276693.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, vbc.exe, 00000013.00000002.481145742.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000004.00000003.344845347.0000000000AD3000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.344790807.0000000000AD1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
              Source: vbc.exe, 00000004.00000002.345733015.0000000000AD4000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
              Source: BID (ITB).exe, 00000002.00000002.593551856.0000000002AE3000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=$R
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/check
              Source: vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=IT
              Source: vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1%T?M
              Source: vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: BID (ITB).exe, 00000002.00000002.594343601.0000000002CE6000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/
              Source: vbc.exe, 00000004.00000003.345060596.0000000000AD1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.344790807.0000000000AD1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 00000004.00000002.345693308.00000000007A8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
              Source: vbc.exe, 00000004.00000003.344128075.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000002.00000002.588814290.000000000049F000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.325883859.0000000002A72000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.593572526.0000000002AE9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.588491516.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.323545033.00000000004C7000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.590203587.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.325980579.0000000002B0F000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.590308854.0000000002272000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.590483714.0000000002302000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BID (ITB).exe PID: 4708, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BID (ITB).exe PID: 6512, type: MEMORY
              Source: Yara matchFile source: 2.2.BID (ITB).exe.21e0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.BID (ITB).exe.21e0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.BID (ITB).exe.2300000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.BID (ITB).exe.2270000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.BID (ITB).exe.2a70000.2.unpack, type: UNPACKEDPE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,4_2_0040FDCB
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00423B38 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,1_2_00423B38
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0042417C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_0042417C
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0043EB50 GetKeyboardState,1_2_0043EB50

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000002.00000002.588814290.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000001.00000002.325883859.0000000002A72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000013.00000002.481145742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000002.00000002.593572526.0000000002AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.588491516.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000001.323545033.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.590203587.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.590203587.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000001.00000002.325980579.0000000002B0F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.590308854.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.590483714.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: BID (ITB).exe PID: 4708, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: BID (ITB).exe PID: 6512, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.BID (ITB).exe.21e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.BID (ITB).exe.21e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 2.2.BID (ITB).exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.BID (ITB).exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 2.1.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.1.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.BID (ITB).exe.4ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 2.2.BID (ITB).exe.4ad0000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 2.2.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0045C8E4 NtdllDefWindowProc_A,1_2_0045C8E4
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00441A88 NtdllDefWindowProc_A,GetCapture,1_2_00441A88
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_004349C0 NtdllDefWindowProc_A,1_2_004349C0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0045D060 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_0045D060
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0045D110 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_0045D110
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_004514B4 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_004514B4
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_00498159 NtCreateSection,2_2_00498159
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264CD6F NtUnmapViewOfSection,NtUnmapViewOfSection,2_2_0264CD6F
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0045C8E4 NtdllDefWindowProc_A,3_2_0045C8E4
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_00441A88 NtdllDefWindowProc_A,GetCapture,3_2_00441A88
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_004349C0 NtdllDefWindowProc_A,3_2_004349C0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0045D060 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_0045D060
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0045D110 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_0045D110
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_004514B4 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,3_2_004514B4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040A5A9
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0041E4CE1_2_0041E4CE
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00456FB81_2_00456FB8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_004514B41_2_004514B4
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0047376C1_2_0047376C
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_0046D9081_2_0046D908
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_00444A662_2_00444A66
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_004919762_2_00491976
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0049713D2_2_0049713D
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_004E1D4E2_2_004E1D4E
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026432602_2_02643260
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264B2682_2_0264B268
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264C2782_2_0264C278
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02647E502_2_02647E50
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02641C582_2_02641C58
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264BA182_2_0264BA18
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026474C02_2_026474C0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264AAC82_2_0264AAC8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02640C902_2_02640C90
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026400982_2_02640098
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264B5782_2_0264B578
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02648B502_2_02648B50
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264AF2B2_2_0264AF2B
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02644FE02_2_02644FE0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026479C82_2_026479C8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02643FD82_2_02643FD8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264BBB62_2_0264BBB6
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026424612_2_02642461
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026432502_2_02643250
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026408282_2_02640828
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026434312_2_02643431
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02647E002_2_02647E00
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264BA092_2_0264BA09
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026432F32_2_026432F3
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026438D02_2_026438D0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026432DA2_2_026432DA
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026460A02_2_026460A0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026432A12_2_026432A1
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026460B02_2_026460B0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026474B22_2_026474B2
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02643B682_2_02643B68
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026439682_2_02643968
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02641B722_2_02641B72
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026425782_2_02642578
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02648B402_2_02648B40
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02643B582_2_02643B58
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026433592_2_02643359
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026495282_2_02649528
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02647F322_2_02647F32
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_0264333F2_2_0264333F
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02645FE42_2_02645FE4
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026443C02_2_026443C0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02642FC82_2_02642FC8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026453C82_2_026453C8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026453B72_2_026453B7
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026443B02_2_026443B0
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026479BE2_2_026479BE
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_02642FBB2_2_02642FBB
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026407842_2_02640784
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026433802_2_02643380
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 2_2_026469822_2_02646982
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0041E4CE3_2_0041E4CE
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_00456FB83_2_00456FB8
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_004514B43_2_004514B4
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0047376C3_2_0047376C
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 3_2_0046D9083_2_0046D908
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004360CE4_2_004360CE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040509C4_2_0040509C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004051994_2_00405199
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043C2D04_2_0043C2D0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004404064_2_00440406
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040451D4_2_0040451D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004045FF4_2_004045FF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040458E4_2_0040458E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004046904_2_00404690
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00414A514_2_00414A51
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404C084_2_00404C08
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406C8E4_2_00406C8E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00415DF34_2_00415DF3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00416E5C4_2_00416E5C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00410FE44_2_00410FE4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404DE519_2_00404DE5
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404E5619_2_00404E56
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404EC719_2_00404EC7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00404F5819_2_00404F58
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040BF6B19_2_0040BF6B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0040924D appears 31 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 88 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 004069B4 appears 36 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 00404390 appears 34 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 00403600 appears 51 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 0040436C appears 147 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 004039CC appears 62 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 0040C498 appears 36 times
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: String function: 00406738 appears 32 times
              Source: BID (ITB).exe, 00000001.00000000.321506688.000000000051C000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs BID (ITB).exe
              Source: BID (ITB).exe, 00000001.00000002.325883859.0000000002A72000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs BID (ITB).exe
              Source: BID (ITB).exeBinary or memory string: OriginalFilename vs BID (ITB).exe
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BID (ITB).exe
              Source: BID (ITB).exe, 00000002.00000002.588814290.000000000049F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs BID (ITB).exe
              Source: BID (ITB).exe, 00000002.00000002.597873941.0000000007ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BID (ITB).exe
              Source: BID (ITB).exe, 00000002.00000002.597537164.0000000007A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs BID (ITB).exe
              Source: BID (ITB).exe, 00000002.00000000.322830991.000000000051C000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs BID (ITB).exe
              Source: BID (ITB).exe, 00000003.00000000.324624104.000000000051C000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs BID (ITB).exe
              Source: BID (ITB).exeBinary or memory string: OriginalFilename$ vs BID (ITB).exe
              Source: 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000002.00000002.588814290.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.325883859.0000000002A72000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000013.00000002.481145742.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000002.00000002.593572526.0000000002AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.588491516.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000001.323545033.00000000004C7000.00000040.00020000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.590203587.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.590203587.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000001.00000002.325980579.0000000002B0F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.590308854.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.590483714.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: BID (ITB).exe PID: 4708, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: BID (ITB).exe PID: 4708, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
              Source: Process Memory Space: BID (ITB).exe PID: 6512, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.BID (ITB).exe.21e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.BID (ITB).exe.21e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 2.2.BID (ITB).exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.BID (ITB).exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 2.1.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.1.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.BID (ITB).exe.4ad0000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 2.2.BID (ITB).exe.4ad0000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 2.2.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.BID (ITB).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 2.2.BID (ITB).exe.400000.0.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 1.2.BID (ITB).exe.2a70000.2.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 2.2.BID (ITB).exe.2270000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 2.2.BID (ITB).exe.2300000.4.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@3/2
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00420C50 GetLastError,FormatMessageA,1_2_00420C50
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00408D40 GetDiskFreeSpaceA,1_2_00408D40
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,4_2_00413C19
              Source: C:\Users\user\Desktop\BID (ITB).exeCode function: 1_2_00413DB0 FindResourceA,1_2_00413DB0
              Source: C:\Users\user\Desktop\BID (ITB).exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\Desktop\BID (ITB).exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
              Source: C:\Users\user\Desktop\BID (ITB).exeFile created: C:\Users\user\AppData\Local\Temp\ca430d32-ada6-471a-5294-82dd58cbe52dJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\BID (ITB).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\BID (ITB).exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\BID (ITB).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.345328835.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: BID (ITB).exeVirustotal: Detection: 28%
              Source: BID (ITB).exeReversingLabs: Detection: 50%
              Source: unknownProcess created: C:\Users\user\Desktop\BID (ITB).exe 'C:\Users\user\Desktop\BID (ITB).exe'
              Source: unknownProcess created: C:\Users\user\Desktop\BID (ITB).exe 'C:\Users\user\Desktop\BID (ITB).exe'
              Source: unknownProcess created: C:\Users\user\Desktop\BID (ITB).exe 'C:\Users\user\Desktop\BID (ITB).exe' 2 4708 7258109
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDE91.tmp'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDB22.tmp'
              Source: C:\Users\user\Desktop\BID (ITB).exeProcess created: C:\Users\user\Desktop\BID (ITB).exe 'C:\Users\user\Desktop\BID (ITB).exe' Jump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeProcess created: C:\Users\user\Desktop\BID (ITB).exe 'C:\Users\user\Desktop\BID (ITB).exe' 2 4708 7258109Jump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDE91.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDB22.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Users\user\Desktop\BID (ITB).exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exe
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: BID (ITB).exe, 00000002.00000002.596494924.0000000004AD0000.00000004.00000001.sdmp, vbc.exe