Loading ...

Play interactive tourEdit tour

Analysis Report WFCDopUaDQ

Overview

General Information

Sample Name:WFCDopUaDQ (renamed file extension from none to exe)
Analysis ID:316987
MD5:a79e92cc145ea8407a4ed30fee0a912b
SHA1:7a8ea767226ef0da7ed927f9e1a8b57418cdb916
SHA256:6e576c6aee1a0e3adf5e36c0ae52d1eda0ec0171fe8163bb0983f62a0e23c0da

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • WFCDopUaDQ.exe (PID: 4548 cmdline: 'C:\Users\user\Desktop\WFCDopUaDQ.exe' MD5: A79E92CC145EA8407A4ED30FEE0A912B)
    • RegSvcs.exe (PID: 6004 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • vbc.exe (PID: 2564 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7A6D.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5740 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7604.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • wscript.exe (PID: 6716 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\chrome\DeviceProperties.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • microsoft.exe (PID: 6844 cmdline: 'C:\Users\user\AppData\Local\Temp\chrome\microsoft.exe' MD5: 18CBE6664D2634D0914C7282BBF305F0)
      • RegSvcs.exe (PID: 6244 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
        • vbc.exe (PID: 6728 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9AD.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 3328 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp11E.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]
dropped/DeviceProperties.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x8f460:$s1: HawkEye Keylogger
  • 0x8e564:$s2: _ScreenshotLogger
  • 0x8eab0:$s2: _ScreenshotLogger
  • 0x8e531:$s3: _PasswordStealer
  • 0x8ea7d:$s3: _PasswordStealer
00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000004.00000002.509111817.000000000362F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000004.00000003.276284178.0000000004CA3000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000004.00000003.276284178.0000000004CA3000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 49 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          23.2.vbc.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          23.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            20.2.RegSvcs.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x87c2e:$s1: HawkEye Keylogger
            • 0x87c97:$s1: HawkEye Keylogger
            • 0x81071:$s2: _ScreenshotLogger
            • 0x8103e:$s3: _PasswordStealer
            20.2.RegSvcs.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              20.2.RegSvcs.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
              • 0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
              • 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
              • 0x8103e:$str1: _PasswordStealer
              • 0x8104f:$str2: _KeyStrokeLogger
              • 0x81071:$str3: _ScreenshotLogger
              • 0x81060:$str4: _ClipboardLogger
              • 0x81083:$str5: _WebCamLogger
              • 0x81198:$str6: _AntiVirusKiller
              • 0x81186:$str7: _ProcessElevation
              • 0x8114d:$str8: _DisableCommandPrompt
              • 0x81253:$str9: _WebsiteBlocker
              • 0x81263:$str9: _WebsiteBlocker
              • 0x81139:$str10: _DisableTaskManager
              • 0x811b4:$str11: _AntiDebugger
              • 0x8123e:$str12: _WebsiteVisitorSites
              • 0x81163:$str13: _DisableRegEdit
              • 0x811c2:$str14: _ExecutionDelay
              • 0x810e7:$str15: _InstallStartupPersistance
              Click to see the 31 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Drops script at startup locationShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\WFCDopUaDQ.exe, ProcessId: 4548, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.url

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: WFCDopUaDQ.exeAvira: detected
              Source: WFCDopUaDQ.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeAvira: detection malicious, Label: HEUR/AGEN.1102698
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeAvira: detection malicious, Label: HEUR/AGEN.1102698
              Found malware configurationShow sources
              Source: vbc.exe.6728.21.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Source: vbc.exe.6728.21.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for domain / URLShow sources
              Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
              Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: WFCDopUaDQ.exeVirustotal: Detection: 63%Perma Link
              Source: WFCDopUaDQ.exeMetadefender: Detection: 48%Perma Link
              Source: WFCDopUaDQ.exeReversingLabs: Detection: 70%
              Source: WFCDopUaDQ.exeVirustotal: Detection: 63%Perma Link
              Source: WFCDopUaDQ.exeMetadefender: Detection: 48%Perma Link
              Source: WFCDopUaDQ.exeReversingLabs: Detection: 70%
              Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 20.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 15.3.microsoft.exe.47e0000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 20.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 15.3.microsoft.exe.47e0000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A24696
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A24696
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,6_2_00408CAC
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C4696 GetFileAttributesW,FindFirstFileW,FindClose,15_2_003C4696
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003CF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_003CF200
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_003C3D4E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003CC93C FindFirstFileW,FindClose,15_2_003CC93C
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003CC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_003CC9C7
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003CF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_003CF35D
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003CF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_003CF65E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_003C3A2B
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003CBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_003CBF27
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,21_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,21_2_00408CAC
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003D25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,15_2_003D25E2
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003D25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,15_2_003D25E2
              Source: vbc.exe, 00000006.00000003.284304751.0000000002351000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361759528.0000000002281000.00000004.00000001.sdmpString found in binary or memory: =chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2
              Source: vbc.exe, 00000006.00000003.284304751.0000000002351000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361759528.0000000002281000.00000004.00000001.sdmpString found in binary or memory: =chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2
              Source: RegSvcs.exe, 00000004.00000003.276284178.0000000004CA3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.284883753.0000000000400000.00000040.00000001.sdmp, RegSvcs.exe, 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362088705.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: RegSvcs.exe, 00000004.00000003.276284178.0000000004CA3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.284883753.0000000000400000.00000040.00000001.sdmp, RegSvcs.exe, 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362088705.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000006.00000002.285898444.0000000002352000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362627281.0000000002282000.00000004.00000001.sdmpString found in binary or memory: MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000002.285898444.0000000002352000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362627281.0000000002282000.00000004.00000001.sdmpString found in binary or memory: MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000003.284304751.0000000002351000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361759528.0000000002281000.00000004.00000001.sdmpString found in binary or memory: =chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2
              Source: vbc.exe, 00000006.00000003.284304751.0000000002351000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361759528.0000000002281000.00000004.00000001.sdmpString found in binary or memory: =chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2
              Source: RegSvcs.exe, 00000004.00000003.276284178.0000000004CA3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.284883753.0000000000400000.00000040.00000001.sdmp, RegSvcs.exe, 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362088705.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: RegSvcs.exe, 00000004.00000003.276284178.0000000004CA3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.284883753.0000000000400000.00000040.00000001.sdmp, RegSvcs.exe, 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362088705.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000006.00000002.285898444.0000000002352000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362627281.0000000002282000.00000004.00000001.sdmpString found in binary or memory: MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000002.285898444.0000000002352000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362627281.0000000002282000.00000004.00000001.sdmpString found in binary or memory: MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: RegSvcs.exe, 00000004.00000002.506568485.0000000003443000.00000004.00000001.sdmp, RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
              Source: WFCDopUaDQ.exe, 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, RegSvcs.exe, 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, microsoft.exe, 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, RegSvcs.exe, 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: RegSvcs.exe, 00000004.00000002.506568485.0000000003443000.00000004.00000001.sdmp, RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: vbc.exe, 00000006.00000002.284852811.000000000019C000.00000004.00000010.sdmp, vbc.exe, 00000015.00000002.362038428.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 0000001B.00000002.496110555.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
              Source: RegSvcs.exe, 00000004.00000002.506568485.0000000003443000.00000004.00000001.sdmp, RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.m
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1bh
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=
              Source: vbc.exe, 00000006.00000003.283079591.0000000002350000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361325695.0000000002280000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/c
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmp, vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmp, vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
              Source: RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: RegSvcs.exe, 00000004.00000002.506568485.0000000003443000.00000004.00000001.sdmp, RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
              Source: WFCDopUaDQ.exe, 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, RegSvcs.exe, 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, microsoft.exe, 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, RegSvcs.exe, 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: RegSvcs.exe, 00000004.00000002.506568485.0000000003443000.00000004.00000001.sdmp, RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: vbc.exe, 00000006.00000002.284852811.000000000019C000.00000004.00000010.sdmp, vbc.exe, 00000015.00000002.362038428.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 0000001B.00000002.496110555.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
              Source: RegSvcs.exe, 00000004.00000002.506568485.0000000003443000.00000004.00000001.sdmp, RegSvcs.exe, 00000014.00000002.505543485.0000000002BD3000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.m
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1bh
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&
              Source: vbc.exe, 00000006.00000003.284382452.000000000234F000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361795695.000000000227F000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=
              Source: vbc.exe, 00000006.00000003.283079591.0000000002350000.00000004.00000001.sdmp, vbc.exe, 00000015.00000003.361325695.0000000002280000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/c
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmp, vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 00000006.00000002.285486588.0000000000787000.00000004.00000020.sdmp, vbc.exe, 00000015.00000002.362463672.00000000006AC000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.505554610.0000000002BD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: microsoft.exe PID: 6844, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WFCDopUaDQ.exe PID: 4548, type: MEMORY
              Source: Yara matchFile source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,6_2_0040F078
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,6_2_0040F078
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003D425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,15_2_003D425A
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003D425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,15_2_003D425A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_009C2344
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_009C2344
              Source: WFCDopUaDQ.exe, 00000000.00000003.281040497.0000000001203000.00000004.00000001.sdmpBinary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES#
              Source: WFCDopUaDQ.exe, 00000000.00000003.281040497.0000000001203000.00000004.00000001.sdmpBinary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES#
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A4CDAC
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A4CDAC
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_003ECDAC
              Source: Yara matchFile source: Process Memory Space: microsoft.exe PID: 6844, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: WFCDopUaDQ.exe PID: 4548, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000014.00000002.505554610.0000000002BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000017.00000002.419059940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000004.00000002.509934190.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0000001B.00000002.496110555.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: microsoft.exe PID: 6844, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: WFCDopUaDQ.exe PID: 4548, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 20.2.RegSvcs.exe.4bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 4.2.RegSvcs.exe.5430000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 4.2.RegSvcs.exe.5430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 20.2.RegSvcs.exe.4bc0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000014.00000002.505554610.0000000002BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000017.00000002.419059940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000004.00000002.509934190.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0000001B.00000002.496110555.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: microsoft.exe PID: 6844, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: WFCDopUaDQ.exe PID: 4548, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 20.2.RegSvcs.exe.4bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 4.2.RegSvcs.exe.5430000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 4.2.RegSvcs.exe.5430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 20.2.RegSvcs.exe.4bc0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Binary is likely a compiled AutoIt script fileShow sources
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: This is a third-party compiled AutoIt script.0_2_009C3B4C
              Source: WFCDopUaDQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: This is a third-party compiled AutoIt script.0_2_009C3B4C
              Source: WFCDopUaDQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: WFCDopUaDQ.exe, 00000000.00000002.284903907.0000000000A75000.00000040.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: This is a third-party compiled AutoIt script.15_2_00363B4C
              Source: microsoft.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: microsoft.exe, 0000000F.00000002.361567853.0000000000415000.00000040.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_009C3633
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_009C1290
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73C54310,NtdllDialogWndProc_W,0_2_009C1287
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C220 NtdllDialogWndProc_W,0_2_00A4C220
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00A4C27C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00A4C49C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C16B5 NtdllDialogWndProc_W,0_2_009C16B5
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C16DE GetParent,NtdllDialogWndProc_W,0_2_009C16DE
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4D6C6 NtdllDialogWndProc_W,0_2_00A4D6C6
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C167D NtdllDialogWndProc_W,0_2_009C167D
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00A4C788
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00A4D74C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C189B NtdllDialogWndProc_W,0_2_009C189B
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00A4C8EE
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C86D SendMessageW,NtdllDialogWndProc_W,0_2_00A4C86D
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4DA9A NtdllDialogWndProc_W,0_2_00A4DA9A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CBAE NtdllDialogWndProc_W,0_2_00A4CBAE
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CBF9 NtdllDialogWndProc_W,0_2_00A4CBF9
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CB7F NtdllDialogWndProc_W,0_2_00A4CB7F
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CB50 NtdllDialogWndProc_W,0_2_00A4CB50
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00A4CC2E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A4CDAC
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00A4CD6C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_009C3633
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_009C1290
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73C54310,NtdllDialogWndProc_W,0_2_009C1287
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C220 NtdllDialogWndProc_W,0_2_00A4C220
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00A4C27C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00A4C49C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C16B5 NtdllDialogWndProc_W,0_2_009C16B5
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C16DE GetParent,NtdllDialogWndProc_W,0_2_009C16DE
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4D6C6 NtdllDialogWndProc_W,0_2_00A4D6C6
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C167D NtdllDialogWndProc_W,0_2_009C167D
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00A4C788
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00A4D74C
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C189B NtdllDialogWndProc_W,0_2_009C189B
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00A4C8EE
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4C86D SendMessageW,NtdllDialogWndProc_W,0_2_00A4C86D
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4DA9A NtdllDialogWndProc_W,0_2_00A4DA9A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CBAE NtdllDialogWndProc_W,0_2_00A4CBAE
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CBF9 NtdllDialogWndProc_W,0_2_00A4CBF9
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CB7F NtdllDialogWndProc_W,0_2_00A4CB7F
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CB50 NtdllDialogWndProc_W,0_2_00A4CB50
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00A4CC2E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A4CDAC
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00A4CD6C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0563ACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,4_2_0563ACC8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,6_2_0040978A
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00363633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,15_2_00363633
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EC220 NtdllDialogWndProc_W,15_2_003EC220
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EC27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,15_2_003EC27C
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,15_2_003EC49C
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,15_2_003EC788
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EC86D SendMessageW,NtdllDialogWndProc_W,15_2_003EC86D
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,15_2_003EC8EE
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECB7F NtdllDialogWndProc_W,15_2_003ECB7F
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECB50 NtdllDialogWndProc_W,15_2_003ECB50
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECBAE NtdllDialogWndProc_W,15_2_003ECBAE
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECBF9 NtdllDialogWndProc_W,15_2_003ECBF9
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECC2E ClientToScreen,NtdllDialogWndProc_W,15_2_003ECC2E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECD6C GetWindowLongW,NtdllDialogWndProc_W,15_2_003ECD6C
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ECDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_003ECDAC
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00361290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,15_2_00361290
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00361287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73C54310,NtdllDialogWndProc_W,15_2_00361287
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0036167D NtdllDialogWndProc_W,15_2_0036167D
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003616B5 NtdllDialogWndProc_W,15_2_003616B5
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003616DE GetParent,NtdllDialogWndProc_W,15_2_003616DE
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ED6C6 NtdllDialogWndProc_W,15_2_003ED6C6
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003ED74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,15_2_003ED74C
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0036189B NtdllDialogWndProc_W,15_2_0036189B
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EDA9A NtdllDialogWndProc_W,15_2_003EDA9A
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003EBF4D NtdllDialogWndProc_W,CallWindowProcW,15_2_003EBF4D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6A750 NtUnmapViewOfSection,NtUnmapViewOfSection,20_2_04D6A750
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,21_2_0040978A
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C4021: CreateFileW,DeviceIoControl,CloseHandle,15_2_003C4021
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C4021: CreateFileW,DeviceIoControl,CloseHandle,15_2_003C4021
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003B8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,732E6290,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,15_2_003B8858
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003B8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,732E6290,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,15_2_003B8858
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_003C545F
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_003C545F
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009CE0600_2_009CE060
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E33C70_2_009E33C7
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009CE8000_2_009CE800
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009CFE400_2_009CFE40
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F70060_2_009F7006
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4804A0_2_00A4804A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D31900_2_009D3190
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D710E0_2_009D710E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C12870_2_009C1287
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009EF4190_2_009EF419
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E24050_2_009E2405
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F65220_2_009F6522
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D56800_2_009D5680
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E16C40_2_009E16C4
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F267E0_2_009F267E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E78D30_2_009E78D3
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D58C00_2_009D58C0
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E283A0_2_009E283A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D68430_2_009D6843
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F89DF0_2_009F89DF
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F6A940_2_009F6A94
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D8A0E0_2_009D8A0E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E1BB80_2_009E1BB8
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009EDBB50_2_009EDBB5
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009ECD610_2_009ECD61
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E1FD00_2_009E1FD0
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009EBFE60_2_009EBFE6
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009CE0600_2_009CE060
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E33C70_2_009E33C7
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009CE8000_2_009CE800
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009CFE400_2_009CFE40
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F70060_2_009F7006
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A4804A0_2_00A4804A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D31900_2_009D3190
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D710E0_2_009D710E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C12870_2_009C1287
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009EF4190_2_009EF419
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E24050_2_009E2405
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F65220_2_009F6522
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D56800_2_009D5680
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E16C40_2_009E16C4
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F267E0_2_009F267E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E78D30_2_009E78D3
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D58C00_2_009D58C0
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E283A0_2_009E283A
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D68430_2_009D6843
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F89DF0_2_009F89DF
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009F6A940_2_009F6A94
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009D8A0E0_2_009D8A0E
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E1BB80_2_009E1BB8
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009EDBB50_2_009EDBB5
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009ECD610_2_009ECD61
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009E1FD00_2_009E1FD0
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009EBFE60_2_009EBFE6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05631D2F4_2_05631D2F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05637F104_2_05637F10
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056375184_2_05637518
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_0563A1E74_2_0563A1E7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056355884_2_05635588
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05638B904_2_05638B90
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056349984_2_05634998
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056308014_2_05630801
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05637A114_2_05637A11
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056334D04_2_056334D0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056357684_2_05635768
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056327214_2_05632721
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056327304_2_05632730
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05636D304_2_05636D30
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056375084_2_05637508
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05633DF24_2_05633DF2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05633BC14_2_05633BC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056345C04_2_056345C0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056341C94_2_056341C9
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056341D84_2_056341D8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05634DA14_2_05634DA1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056345B14_2_056345B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05634DB04_2_05634DB0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05638B804_2_05638B80
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056349884_2_05634988
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05636A224_2_05636A22
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05637A204_2_05637A20
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056384394_2_05638439
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05633C004_2_05633C00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05633E004_2_05633E00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056308174_2_05630817
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056332174_2_05633217
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056332184_2_05633218
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_05637EC14_2_05637EC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056308B04_2_056308B0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056358804_2_05635880
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_056358904_2_05635890
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0044900F6_2_0044900F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004042EB6_2_004042EB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004142816_2_00414281
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004102916_2_00410291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004063BB6_2_004063BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004156246_2_00415624
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0041668D6_2_0041668D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040477F6_2_0040477F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040487C6_2_0040487C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043589B6_2_0043589B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043BA9D6_2_0043BA9D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043FBD36_2_0043FBD3
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0036E06015_2_0036E060
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0036E80015_2_0036E800
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003833C715_2_003833C7
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0036FE4015_2_0036FE40
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003E804A15_2_003E804A
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0038240515_2_00382405
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0039652215_2_00396522
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0039267E15_2_0039267E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003E066515_2_003E0665
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0038283A15_2_0038283A
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0037684315_2_00376843
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003989DF15_2_003989DF
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00378A0E15_2_00378A0E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00396A9415_2_00396A94
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003E0AE215_2_003E0AE2
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003C8B1315_2_003C8B13
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003BEB0715_2_003BEB07
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0038CD6115_2_0038CD61
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0039700615_2_00397006
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0037710E15_2_0037710E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0037319015_2_00373190
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0036128715_2_00361287
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0038F41915_2_0038F419
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0037568015_2_00375680
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003816C415_2_003816C4
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003878D315_2_003878D3
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003758C015_2_003758C0
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00381BB815_2_00381BB8
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0038DBB515_2_0038DBB5
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_0038BFE615_2_0038BFE6
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_00381FD015_2_00381FD0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6589020_2_04D65890
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6144220_2_04D61442
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D69C6820_2_04D69C68
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D67A1120_2_04D67A11
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6861820_2_04D68618
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6080120_2_04D60801
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6499820_2_04D64998
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6339820_2_04D63398
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6558820_2_04D65588
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D64DB020_2_04D64DB0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D60D7020_2_04D60D70
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D67F1020_2_04D67F10
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6751820_2_04D67518
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D67EC120_2_04D67EC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6369C20_2_04D6369C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6188B20_2_04D6188B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6388B20_2_04D6388B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D638B720_2_04D638B7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63AB420_2_04D63AB4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D608B020_2_04D608B0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6184620_2_04D61846
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63A7720_2_04D63A77
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6167120_2_04D61671
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6367120_2_04D63671
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D61A6620_2_04D61A66
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6386820_2_04D63868
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6321020_2_04D63210
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6361B20_2_04D6361B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6321820_2_04D63218
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63C0020_2_04D63C00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63E0020_2_04D63E00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6860820_2_04D68608
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63A3A20_2_04D63A3A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D67A2020_2_04D67A20
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D66A2820_2_04D66A28
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D639DA20_2_04D639DA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D641D820_2_04D641D8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D645C020_2_04D645C0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D619CE20_2_04D619CE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D637FA20_2_04D637FA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63DF920_2_04D63DF9
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6358020_2_04D63580
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D61B8F20_2_04D61B8F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D637B820_2_04D637B8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D64DA120_2_04D64DA1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6374420_2_04D63744
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6194020_2_04D61940
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6157620_2_04D61576
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6377720_2_04D63777
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6197720_2_04D61977
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D61D7020_2_04D61D70
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6576820_2_04D65768
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6371120_2_04D63711
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D63B0F20_2_04D63B0F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6390D20_2_04D6390D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6750820_2_04D67508
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D6273020_2_04D62730
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 20_2_04D66D3020_2_04D66D30
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0044900F21_2_0044900F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_004042EB21_2_004042EB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0041428121_2_00414281
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0041029121_2_00410291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_004063BB21_2_004063BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0041562421_2_00415624
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0041668D21_2_0041668D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040477F21_2_0040477F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0040487C21_2_0040487C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0043589B21_2_0043589B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0043BA9D21_2_0043BA9D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 21_2_0043FBD321_2_0043FBD3
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: String function: 009E8B40 appears 42 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044465C appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044466E appears 40 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 68 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 72 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 72 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 132 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042F6EF appears 32 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 174 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 64 times
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: String function: 009E8B40 appears 42 times
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: String function: 00388B40 appears 42 times
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: String function: 00380D27 appears 70 times
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: String function: 00367F41 appears 35 times
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: microsoft.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WFCDopUaDQ.exe, 00000000.00000003.280742929.000000000131E000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.280742929.000000000131E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameM vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.277326778.00000000015B4000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild' vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.277255589.0000000003B01000.00000004.00000001.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000002.285252407.000000000121A000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME:g? vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000002.285342083.00000000015C7000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.280742929.000000000131E000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.280742929.000000000131E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameM vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.277326778.00000000015B4000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild' vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000003.277255589.0000000003B01000.00000004.00000001.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000002.285252407.000000000121A000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAME:g? vs WFCDopUaDQ.exe
              Source: WFCDopUaDQ.exe, 00000000.00000002.285342083.00000000015C7000.00000004.00000001.sdmpBinary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs WFCDopUaDQ.exe
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
              Source: 00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.505554610.0000000002BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000017.00000002.419059940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.509934190.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0000001B.00000002.496110555.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: microsoft.exe PID: 6844, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: WFCDopUaDQ.exe PID: 4548, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: dropped/DeviceProperties.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 20.2.RegSvcs.exe.4bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 4.2.RegSvcs.exe.5430000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 4.2.RegSvcs.exe.5430000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 20.2.RegSvcs.exe.4bc0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000004.00000002.506645608.0000000003449000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.505554610.0000000002BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.502354693.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000003.274403937.0000000004282000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000014.00000002.507706087.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000017.00000002.419059940.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000014.00000002.502347272.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000F.00000003.352233458.00000000047E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.509934190.0000000005430000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0000001B.00000002.496110555.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: RegSvcs.exe PID: 6004, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: microsoft.exe PID: 6844, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: WFCDopUaDQ.exe PID: 4548, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: dropped/DeviceProperties.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.3.microsoft.exe.47e0000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 20.2.RegSvcs.exe.4bc0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 4.2.RegSvcs.exe.5430000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 4.2.RegSvcs.exe.5430000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 20.2.RegSvcs.exe.4bc0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 20.2.RegSvcs.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 0.3.WFCDopUaDQ.exe.4280000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 15.3.microsoft.exe.47e0000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@16/7@0/0
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A2A2D5 GetLastError,FormatMessageW,0_2_00A2A2D5
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A2A2D5 GetLastError,FormatMessageW,0_2_00A2A2D5
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003B8713 AdjustTokenPrivileges,CloseHandle,15_2_003B8713
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003B8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_003B8CC3
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003B8713 AdjustTokenPrivileges,CloseHandle,15_2_003B8713
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCode function: 15_2_003B8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_003B8CC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,6_2_00418073
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,6_2_00418073
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A23E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A23E91
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_00A23E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A23E91
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C4FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009C4FE9
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeCode function: 0_2_009C4FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009C4FE9
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.urlJump to behavior
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceProperties.urlJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\80a3fcc7-9f03-4864-84c2-17243b53b034
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\80a3fcc7-9f03-4864-84c2-17243b53b034
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeFile created: C:\Users\user\AppData\Local\Temp\chromeJump to behavior
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeFile created: C:\Users\user\AppData\Local\Temp\chromeJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\chrome\DeviceProperties.vbs'
              Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\chrome\DeviceProperties.vbs'
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCommand line argument: 815_2_0036492E
              Source: C:\Users\user\AppData\Local\Temp\chrome\microsoft.exeCommand line argument: 815_2_0036492E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\WFCDopUaDQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: vbc.exe, 00000006.00000002.284883753.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000015.00000002.362088705.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: vbc.exe, 00000006.00000002.284883753.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000015.00000002.362088705.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'