Loading ...

Play interactive tourEdit tour

Analysis Report 5Av43Q5IXd

Overview

General Information

Sample Name:5Av43Q5IXd (renamed file extension from none to exe)
Analysis ID:317605
MD5:4f8ebef974f4600650a81297691ad41d
SHA1:9d84f9fef43afd3820b0bdb10a33609c5bd6e6a6
SHA256:772a1b14d54449948ca15842a7a8eb4ac5d17df3b9a93dcb4c7f3bb1b46c238d
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 5Av43Q5IXd.exe (PID: 4908 cmdline: 'C:\Users\user\Desktop\5Av43Q5IXd.exe' MD5: 4F8EBEF974F4600650A81297691AD41D)
    • 5Av43Q5IXd.exe (PID: 5768 cmdline: C:\Users\user\Desktop\5Av43Q5IXd.exe' MD5: 4F8EBEF974F4600650A81297691AD41D)
      • vbc.exe (PID: 5596 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 5748 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 4188 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3888 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 708 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • dw20.exe (PID: 1308 cmdline: dw20.exe -x -s 972 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • WindowsUpdate.exe (PID: 5048 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 4F8EBEF974F4600650A81297691AD41D)
  • WindowsUpdate.exe (PID: 1200 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 4F8EBEF974F4600650A81297691AD41D)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.506523968.000000000048C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1590c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000016.00000002.489494143.000000000048C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1590c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000016.00000000.441153411.000000000048C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1590c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000001B.00000002.488379198.000000000048C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1590c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    19.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      19.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        18.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          11.2.5Av43Q5IXd.exe.21c0000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            11.2.5Av43Q5IXd.exe.21c0000.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 1 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 5Av43Q5IXd.exeAvira: detected
              Source: 5Av43Q5IXd.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1124490
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1124490
              Found malware configurationShow sources
              Source: vbc.exe.4188.18.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
              Source: vbc.exe.4188.18.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 45%Perma Link
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 66%
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 45%Perma Link
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 66%
              Multi AV Scanner detection for submitted fileShow sources
              Source: 5Av43Q5IXd.exeMetadefender: Detection: 45%Perma Link
              Source: 5Av43Q5IXd.exeReversingLabs: Detection: 66%
              Source: 5Av43Q5IXd.exeMetadefender: Detection: 45%Perma Link
              Source: 5Av43Q5IXd.exeReversingLabs: Detection: 66%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: 5Av43Q5IXd.exeJoe Sandbox ML: detected
              Source: 5Av43Q5IXd.exeJoe Sandbox ML: detected
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,19_2_00408441
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,19_2_00407E0E
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_0227D4C8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227B217
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then call 022767F0h11_2_0227E814
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227E814
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then jmp 02276736h11_2_02276660
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227FA6D
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then jmp 02276736h11_2_02276670
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_022764B3
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_0227D4B9
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then call 022767F0h11_2_0227E922
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227E922
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227C12A
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_02270773
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227F95F
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227B781
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227B39D
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then mov esp, ebp11_2_022799E7
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227EFE7
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then call 022767F0h11_2_0227DDE8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227DDE8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227EBFF
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_022719C3
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_0227D4C8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227B217
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then call 022767F0h11_2_0227E814
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227E814
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then jmp 02276736h11_2_02276660
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227FA6D
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then jmp 02276736h11_2_02276670
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_022764B3
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_0227D4B9
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then call 022767F0h11_2_0227E922
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227E922
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227C12A
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_02270773
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227F95F
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227B781
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227B39D
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then mov esp, ebp11_2_022799E7
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227EFE7
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then call 022767F0h11_2_0227DDE8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227DDE8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_0227EBFF
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]11_2_022719C3

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
              Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_000EA186 recv,11_2_000EA186
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_000EA186 recv,11_2_000EA186
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.490650384.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.490650384.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000013.00000002.491481199.0000000000B6B000.00000004.00000040.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000013.00000002.491481199.0000000000B6B000.00000004.00000040.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.490650384.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.490650384.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000013.00000002.491481199.0000000000B6B000.00000004.00000040.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000013.00000002.491481199.0000000000B6B000.00000004.00000040.sdmpString found in binary or memory: https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 49.39.14.0.in-addr.arpa
              Source: unknownDNS traffic detected: queries for: 49.39.14.0.in-addr.arpa
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmp, 5Av43Q5IXd.exe, 0000000B.00000003.393445507.000000000954B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396078003.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395069424.000000000955C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397155171.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398968628.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397112896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/A
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398968628.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/e
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF_
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397968869.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF&
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543939080.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398385760.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals-
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397968869.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom/A
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd-
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543939080.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com;
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.coml
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397576316.0000000009565000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397304986.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed-
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543939080.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commom
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397968869.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc./e
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como&
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398775880.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms(
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtota
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmp, 5Av43Q5IXd.exe, 0000000B.00000003.394279754.0000000009542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394513996.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4P
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn:P
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnFP
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.400221755.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.400221755.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/l
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396190923.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395961825.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395514928.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395782052.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395866861.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396078003.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/font;
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395379421.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/http
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395677172.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/icro
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396190923.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395961825.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395782052.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/l
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395617494.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395379421.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395782052.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s(
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396190923.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
              Source: vbc.exe, vbc.exe, 00000013.00000002.490650384.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396078003.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comT
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395104150.000000000955C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397112896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397077952.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deg
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmp, 5Av43Q5IXd.exe, 0000000B.00000003.393445507.000000000954B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396078003.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395069424.000000000955C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397155171.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398968628.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397112896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/A
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398968628.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/e
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF_
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397968869.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF&
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543939080.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398385760.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals-
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397968869.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom/A
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd-
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543939080.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com;
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.coml
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397576316.0000000009565000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397304986.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed-
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543939080.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commom
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397968869.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc./e
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397787896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como&
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398775880.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms(
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.398554333.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtota
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmp, 5Av43Q5IXd.exe, 0000000B.00000003.394279754.0000000009542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394513996.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4P
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn:P
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.394592560.000000000953C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnFP
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.400221755.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.400221755.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/l
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396190923.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395961825.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395514928.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395782052.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395866861.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396078003.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/font;
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395379421.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/http
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395677172.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/icro
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396190923.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395961825.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395782052.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/l
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395617494.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395379421.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395782052.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s(
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396190923.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
              Source: vbc.exe, vbc.exe, 00000013.00000002.490650384.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.396078003.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comT
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.395104150.000000000955C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397112896.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.397077952.0000000009560000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deg
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543970512.0000000009620000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 00000013.00000002.491318448.000000000074C000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 5Av43Q5IXd.exe PID: 5768, type: MEMORY
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,18_2_0040AC8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,18_2_0040AC8A

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0000000B.00000002.506523968.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000016.00000002.489494143.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000016.00000000.441153411.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000001B.00000002.488379198.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000000.313734225.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000000B.00000003.418860825.000000000B8F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000000.00000002.313959492.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000000.00000000.217454078.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000001B.00000000.458828447.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000000B.00000002.506523968.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000016.00000002.489494143.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000016.00000000.441153411.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000001B.00000002.488379198.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000000.313734225.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000000B.00000003.418860825.000000000B8F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000000.00000002.313959492.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 00000000.00000000.217454078.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: 0000001B.00000000.458828447.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE1256 NtProtectVirtualMemory,0_2_02AE1256
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE1515 NtResumeThread,0_2_02AE1515
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE1520 NtResumeThread,0_2_02AE1520
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE1256 NtProtectVirtualMemory,0_2_02AE1256
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE1515 NtResumeThread,0_2_02AE1515
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE1520 NtResumeThread,0_2_02AE1520
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02465E2A NtResumeThread,11_2_02465E2A
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02465ED2 NtWriteVirtualMemory,11_2_02465ED2
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_024655F6 NtQuerySystemInformation,11_2_024655F6
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02465EA5 NtWriteVirtualMemory,11_2_02465EA5
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_024655C4 NtQuerySystemInformation,11_2_024655C4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,19_2_00408836
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE58BD0_2_02AE58BD
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE33760_2_02AE3376
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE61580_2_02AE6158
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE58BD0_2_02AE58BD
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE33760_2_02AE3376
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 0_2_02AE61580_2_02AE6158
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_004060F011_2_004060F0
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0040615911_2_00406159
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0040A57011_2_0040A570
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_004107A511_2_004107A5
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_00405A8011_2_00405A80
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_00402AB011_2_00402AB0
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_00405D6011_2_00405D60
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_00409E7011_2_00409E70
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0040AE0F11_2_0040AE0F
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0040BE3011_2_0040BE30
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227DA9011_2_0227DA90
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227AD6011_2_0227AD60
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227B79011_2_0227B790
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227CDC011_2_0227CDC0
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02271C2C11_2_02271C2C
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_022756B011_2_022756B0
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02276A8011_2_02276A80
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02271B7F11_2_02271B7F
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227AD4911_2_0227AD49
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227CDB011_2_0227CDB0
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02271B9011_2_02271B90
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_022719E811_2_022719E8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0227DDE811_2_0227DDE8
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_022719DB11_2_022719DB
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02276A9011_2_02276A90
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404DDB18_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040BD8A18_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404E4C18_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404EBD18_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404F4E18_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040441919_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040451619_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0041353819_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_004145A119_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0040E63919_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_004337AF19_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_004399B119_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_0043DAE719_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00405CF619_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00403F8519_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00411F9919_2_00411F99
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: String function: 00410D6C appears 44 times
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: String function: 0040443A appears 44 times
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: String function: 004044F1 appears 63 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: String function: 00410D6C appears 44 times
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: String function: 0040443A appears 44 times
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: String function: 004044F1 appears 63 times
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 972
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 972
              Source: 5Av43Q5IXd.exeStatic PE information: invalid certificate
              Source: 5Av43Q5IXd.exeStatic PE information: invalid certificate
              Source: 5Av43Q5IXd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 5Av43Q5IXd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 5Av43Q5IXd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 5Av43Q5IXd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 5Av43Q5IXd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 5Av43Q5IXd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: WindowsUpdate.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 5Av43Q5IXd.exe, 00000000.00000002.319719789.0000000005006000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 00000000.00000002.313983252.00000000004A7000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimbercarrying.exe vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 00000000.00000002.314242992.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.504841720.0000000000479000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.418881680.000000000B911000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTimbercarrying.exe vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543177030.00000000092C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.541689094.0000000007F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exeBinary or memory string: OriginalFilenameTimbercarrying.exe vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 00000000.00000002.319719789.0000000005006000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 00000000.00000002.313983252.00000000004A7000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimbercarrying.exe vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 00000000.00000002.314242992.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.504841720.0000000000479000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.542171485.0000000008127000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000003.418881680.000000000B911000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTimbercarrying.exe vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.543177030.00000000092C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exe, 0000000B.00000002.541689094.0000000007F41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 5Av43Q5IXd.exe
              Source: 5Av43Q5IXd.exeBinary or memory string: OriginalFilenameTimbercarrying.exe vs 5Av43Q5IXd.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: 0000000B.00000002.506523968.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000016.00000002.489494143.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000016.00000000.441153411.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000001B.00000002.488379198.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000000.313734225.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000003.418860825.000000000B8F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.313959492.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000000.217454078.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000001B.00000000.458828447.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.506523968.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000016.00000002.489494143.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000016.00000000.441153411.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000001B.00000002.488379198.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000B.00000002.535335599.0000000006F41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000000.313734225.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000B.00000003.418860825.000000000B8F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.313959492.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000000.217454078.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000001B.00000000.458828447.000000000048C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5Av43Q5IXd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: WindowsUpdate.exe.11.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 5Av43Q5IXd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: WindowsUpdate.exe.11.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, G477Vs2CTVoMM7uBi5/TpLE0H9mnBvQiKIfCj.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, G477Vs2CTVoMM7uBi5/TpLE0H9mnBvQiKIfCj.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, G477Vs2CTVoMM7uBi5/TpLE0H9mnBvQiKIfCj.csCryptographic APIs: 'CreateDecryptor'
              Source: 11.2.5Av43Q5IXd.exe.21c0000.1.unpack, G477Vs2CTVoMM7uBi5/TpLE0H9mnBvQiKIfCj.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@18/12@3/3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,19_2_00415AFD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,19_2_00415AFD
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0246404A AdjustTokenPrivileges,11_2_0246404A
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02464013 AdjustTokenPrivileges,11_2_02464013
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_0246404A AdjustTokenPrivileges,11_2_0246404A
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_02464013 AdjustTokenPrivileges,11_2_02464013
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,19_2_00415F87
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,19_2_00415F87
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,EntryPoint,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,11_2_00401470
              Source: C:\Users\user\Desktop\5Av43Q5IXd.exeCode function: 11_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,EntryPoint,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,