Loading ...

Play interactive tourEdit tour

Analysis Report b15023b1855da1cf5213b061dc626cc2

Overview

General Information

Sample Name:b15023b1855da1cf5213b061dc626cc2 (renamed file extension from none to exe)
Analysis ID:320480
MD5:ac5eb6172c287cbb954954b56586653f
SHA1:3bb19910b89a39274957959dec593964bcf12ee4
SHA256:da23b9268823cc4bcc82fdc74b6bd9c5d8493347507f111de7c387cbe215b264
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • b15023b1855da1cf5213b061dc626cc2.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe' MD5: AC5EB6172C287CBB954954B56586653F)
    • RegAsm.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • vbc.exe (PID: 6576 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6280 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • xjyxibeifbdmock.exe (PID: 6828 cmdline: 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe' MD5: C0962CFBB4BB43348708437D8CD1D8EF)
    • RegAsm.exe (PID: 6852 cmdline: 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • vbc.exe (PID: 6948 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3252 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.608241206.00000000035AF000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x87c2e:$s1: HawkEye Keylogger
        • 0x87c97:$s1: HawkEye Keylogger
        • 0x81071:$s2: _ScreenshotLogger
        • 0x8103e:$s3: _PasswordStealer
        00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 49 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.xjyxibeifbdmock.exe.31ee0000.1.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
          • 0x85e2e:$s1: HawkEye Keylogger
          • 0x85e97:$s1: HawkEye Keylogger
          • 0x7f271:$s2: _ScreenshotLogger
          • 0x7f23e:$s3: _PasswordStealer
          4.2.xjyxibeifbdmock.exe.31ee0000.1.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            4.2.xjyxibeifbdmock.exe.31ee0000.1.unpackHawkEyev9HawkEye v9 Payloadditekshen
            • 0x85e2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2}
            • 0x85e97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
            • 0x7f23e:$str1: _PasswordStealer
            • 0x7f24f:$str2: _KeyStrokeLogger
            • 0x7f271:$str3: _ScreenshotLogger
            • 0x7f260:$str4: _ClipboardLogger
            • 0x7f283:$str5: _WebCamLogger
            • 0x7f398:$str6: _AntiVirusKiller
            • 0x7f386:$str7: _ProcessElevation
            • 0x7f34d:$str8: _DisableCommandPrompt
            • 0x7f453:$str9: _WebsiteBlocker
            • 0x7f463:$str9: _WebsiteBlocker
            • 0x7f339:$str10: _DisableTaskManager
            • 0x7f3b4:$str11: _AntiDebugger
            • 0x7f43e:$str12: _WebsiteVisitorSites
            • 0x7f363:$str13: _DisableRegEdit
            • 0x7f3c2:$str14: _ExecutionDelay
            • 0x7f2e7:$str15: _InstallStartupPersistance
            5.2.RegAsm.exe.4d10000.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x6b4fa:$a1: logins.json
            • 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x6bc7e:$s4: \mozsqlite3.dll
            • 0x6a4ee:$s5: SMTP Password
            5.2.RegAsm.exe.4d10000.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              Click to see the 37 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Drops script at startup locationShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe, ProcessId: 6432, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.url

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: b15023b1855da1cf5213b061dc626cc2.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Found malware configurationShow sources
              Source: vbc.exe.6576.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for domain / URLShow sources
              Source: http://pomf.cat/upload.phpVirustotal: Detection: 8%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeReversingLabs: Detection: 62%
              Multi AV Scanner detection for submitted fileShow sources
              Source: b15023b1855da1cf5213b061dc626cc2.exeVirustotal: Detection: 60%Perma Link
              Source: b15023b1855da1cf5213b061dc626cc2.exeMetadefender: Detection: 48%Perma Link
              Source: b15023b1855da1cf5213b061dc626cc2.exeReversingLabs: Detection: 64%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: b15023b1855da1cf5213b061dc626cc2.exeJoe Sandbox ML: detected
              Source: 4.2.xjyxibeifbdmock.exe.150000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.a30000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 4.0.xjyxibeifbdmock.exe.150000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.0.b15023b1855da1cf5213b061dc626cc2.exe.a30000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A3781C FindFirstFileExA,0_2_00A3781C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,2_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,2_2_00408CAC
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_0015781C FindFirstFileExA,4_2_0015781C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,6_2_00408CAC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,13_2_0040702D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
              Source: vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmpString found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmpString found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmpString found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmpString found in binary or memory: 38632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: RegAsm.exe, 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: RegAsm.exe, 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
              Source: vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmpString found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmpString found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmpString found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmpString found in binary or memory: onsent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
              Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
              Source: vbc.exe, 00000002.00000002.370154038.000000000019C000.00000004.00000010.sdmp, vbc.exe, 00000006.00000002.405184269.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleM
              Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.369053591.0000000002213000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
              Source: vbc.exe, 00000002.00000002.370849978.0000000002214000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405655164.00000000020E4000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
              Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
              Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
              Source: vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404912057.00000000020E3000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
              Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000002.00000003.368921310.0000000002212000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000002.00000003.369086619.0000000002211000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404653728.00000000020E2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404720258.00000000020E1000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404942662.00000000020E1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
              Source: vbc.exe, 00000002.00000002.370773894.000000000076D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-yoP
              Source: vbc.exe, 00000002.00000003.368809279.0000000002210000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.404525940.00000000020E0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORY
              Source: Yara matchFile source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,2_2_0040F078

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.RegAsm.exe.4d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.RegAsm.exe.4d10000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 1.2.RegAsm.exe.53b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 1.2.RegAsm.exe.53b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055AACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_055AACC8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040978A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EFA750 NtUnmapViewOfSection,NtUnmapViewOfSection,5_2_04EFA750
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,6_2_0040978A
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A3E86F0_2_00A3E86F
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A3ADEE0_2_00A3ADEE
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A4D1250_2_00A4D125
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A331070_2_00A33107
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A3A9400_2_00A3A940
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A75181_2_055A7518
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A1D2E1_2_055A1D2E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055AA1E21_2_055AA1E2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A49981_2_055A4998
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A55881_2_055A5588
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A08011_2_055A0801
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A34D01_2_055A34D0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A7F101_2_055A7F10
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A8B901_2_055A8B90
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A7A111_2_055A7A11
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A75081_2_055A7508
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A6D301_2_055A6D30
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A41D81_2_055A41D8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A41CA1_2_055A41CA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A45C01_2_055A45C0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A3DF21_2_055A3DF2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A45B21_2_055A45B2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A4DB01_2_055A4DB0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A4DA11_2_055A4DA1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A08161_2_055A0816
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A3C001_2_055A3C00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A84391_2_055A8439
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A58901_2_055A5890
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A58801_2_055A5880
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A08B01_2_055A08B0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A57681_2_055A5768
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A27301_2_055A2730
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A27211_2_055A2721
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A3BC11_2_055A3BC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A8B801_2_055A8B80
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A32181_2_055A3218
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A3E001_2_055A3E00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A6A221_2_055A6A22
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A7A201_2_055A7A20
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A7EC11_2_055A7EC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0044900F2_2_0044900F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004042EB2_2_004042EB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004142812_2_00414281
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004102912_2_00410291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004063BB2_2_004063BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004156242_2_00415624
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0041668D2_2_0041668D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040477F2_2_0040477F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040487C2_2_0040487C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043589B2_2_0043589B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043BA9D2_2_0043BA9D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043FBD32_2_0043FBD3
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_0015E86F4_2_0015E86F
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_001531074_2_00153107
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_0016D1254_2_0016D125
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_0015A9404_2_0015A940
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_0015ADEE4_2_0015ADEE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_027E24775_2_027E2477
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF66D25_2_04EF66D2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF58905_2_04EF5890
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF9C685_2_04EF9C68
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF14425_2_04EF1442
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF86185_2_04EF8618
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF7A115_2_04EF7A11
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF13BB5_2_04EF13BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF4DB05_2_04EF4DB0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF55885_2_04EF5588
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF33985_2_04EF3398
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF49985_2_04EF4998
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF0D705_2_04EF0D70
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF75185_2_04EF7518
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF7F105_2_04EF7F10
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF7EC15_2_04EF7EC1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF08AC5_2_04EF08AC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF38B75_2_04EF38B7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3AB45_2_04EF3AB4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF188B5_2_04EF188B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF388B5_2_04EF388B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF58805_2_04EF5880
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF369C5_2_04EF369C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF38685_2_04EF3868
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF1A665_2_04EF1A66
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3A775_2_04EF3A77
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF16715_2_04EF1671
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF36715_2_04EF3671
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF18465_2_04EF1846
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF6A225_2_04EF6A22
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF7A205_2_04EF7A20
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3A3A5_2_04EF3A3A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF86085_2_04EF8608
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3C005_2_04EF3C00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3E005_2_04EF3E00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF361B5_2_04EF361B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF32185_2_04EF3218
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF7A145_2_04EF7A14
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF37FA5_2_04EF37FA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3DF25_2_04EF3DF2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF41C95_2_04EF41C9
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF19C25_2_04EF19C2
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF45C05_2_04EF45C0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF39DA5_2_04EF39DA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF41D85_2_04EF41D8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF4DAB5_2_04EF4DAB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF37B85_2_04EF37B8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF45B15_2_04EF45B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF1B8F5_2_04EF1B8F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF33895_2_04EF3389
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF49895_2_04EF4989
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF35805_2_04EF3580
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF57685_2_04EF5768
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF1D7F5_2_04EF1D7F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF19775_2_04EF1977
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF37775_2_04EF3777
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF15765_2_04EF1576
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF1D705_2_04EF1D70
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF37445_2_04EF3744
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF19405_2_04EF1940
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF27215_2_04EF2721
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF27305_2_04EF2730
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF6D305_2_04EF6D30
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF3B0F5_2_04EF3B0F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF390D5_2_04EF390D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF750B5_2_04EF750B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF7F055_2_04EF7F05
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF2F005_2_04EF2F00
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF75135_2_04EF7513
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF37115_2_04EF3711
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0044900F6_2_0044900F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004042EB6_2_004042EB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004142816_2_00414281
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004102916_2_00410291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004063BB6_2_004063BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004156246_2_00415624
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0041668D6_2_0041668D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040477F6_2_0040477F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040487C6_2_0040487C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043589B6_2_0043589B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043BA9D6_2_0043BA9D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043FBD36_2_0043FBD3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404DE513_2_00404DE5
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404E5613_2_00404E56
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404EC713_2_00404EC7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404F5813_2_00404F58
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040BF6B13_2_0040BF6B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044465C appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044466E appears 40 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 68 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 72 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 174 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 72 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 132 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042F6EF appears 32 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 64 times
              Source: b15023b1855da1cf5213b061dc626cc2.exeBinary or memory string: OriginalFilename vs b15023b1855da1cf5213b061dc626cc2.exe
              Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000003.348776345.000000003296F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs b15023b1855da1cf5213b061dc626cc2.exe
              Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.370230188.0000000032700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSkivvies.exe* vs b15023b1855da1cf5213b061dc626cc2.exe
              Source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs b15023b1855da1cf5213b061dc626cc2.exe
              Source: b15023b1855da1cf5213b061dc626cc2.exeBinary or memory string: OriginalFilenameSkivvies.exe* vs b15023b1855da1cf5213b061dc626cc2.exe
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.368012063.0000000032130000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000005.00000002.608578652.0000000004D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000002.605834694.0000000002D29000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.606017869.00000000033C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0000000D.00000002.502433502.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000002.602420435.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.403557593.0000000031EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000001.00000002.602404324.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: RegAsm.exe PID: 6852, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: RegAsm.exe PID: 6476, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: xjyxibeifbdmock.exe PID: 6828, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: b15023b1855da1cf5213b061dc626cc2.exe PID: 6432, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.RegAsm.exe.4d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.RegAsm.exe.4d10000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 1.2.RegAsm.exe.53b0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.xjyxibeifbdmock.exe.31ee0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 1.2.RegAsm.exe.53b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.b15023b1855da1cf5213b061dc626cc2.exe.32130000.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@14/5@0/0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,2_2_00417BE9
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,2_2_00418073
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,2_2_00413424
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,2_2_004141E0
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeFile created: C:\Users\user\AppData\Roaming\ezocxcvgggJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\6cc8834c-22b2-4fc1-bfba-232b5346d9e8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\ecfc61d0-e5dc-e5e1-276d-ec9f9689ba6dJump to behavior
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCommand line argument: OPKKQWDOKD0_2_00A31000
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCommand line argument: BGBAQFXQZ0_2_00A31000
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCommand line argument: SOWQKFT0_2_00A31000
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCommand line argument: OPKKQWDOKD4_2_00151000
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCommand line argument: BGBAQFXQZ4_2_00151000
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCommand line argument: SOWQKFT4_2_00151000
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: RegAsm.exe, 00000001.00000002.608991770.00000000053B0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.370197886.0000000000400000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.606139905.0000000002DD2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.405206241.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: b15023b1855da1cf5213b061dc626cc2.exeVirustotal: Detection: 60%
              Source: b15023b1855da1cf5213b061dc626cc2.exeMetadefender: Detection: 48%
              Source: b15023b1855da1cf5213b061dc626cc2.exeReversingLabs: Detection: 64%
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeFile read: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp'
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exe' Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp992B.tmp'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp92CE.tmp'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe' Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpDC10.tmp'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD611.tmp'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe
              Source: Binary string: wntdll.pdbUGP source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000003.349652096.0000000032880000.00000004.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000003.392999020.0000000032440000.00000004.00000001.sdmp
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000002.608241206.00000000035AF000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.608017137.0000000002F0D000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000013.00000002.540468694.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: b15023b1855da1cf5213b061dc626cc2.exe, 00000000.00000003.349652096.0000000032880000.00000004.00000001.sdmp, xjyxibeifbdmock.exe, 00000004.00000003.392999020.0000000032440000.00000004.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000001.00000002.610202715.0000000008510000.00000002.00000001.sdmp, RegAsm.exe, 00000005.00000002.609997040.0000000007E60000.00000002.00000001.sdmp
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: b15023b1855da1cf5213b061dc626cc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004443B0
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A319A6 push ecx; ret 0_2_00A319B9
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_014E912C push ecx; retf 1_2_014E9131
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A2F1C push ss; retf 1_2_055A2F1D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_055A2FA5 push ss; retf 1_2_055A2FA6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00444975 push ecx; ret 2_2_00444985
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00444B90 push eax; ret 2_2_00444BA4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00444B90 push eax; ret 2_2_00444BCC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00448E74 push eax; ret 2_2_00448E81
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0042CF44 push ebx; retf 0042h2_2_0042CF49
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_001519A6 push ecx; ret 4_2_001519B9
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_027F912C push ecx; retf 5_2_027F9131
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 5_2_04EF9382 push esp; retf 5_2_04EF9421
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00444975 push ecx; ret 6_2_00444985
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00444B90 push eax; ret 6_2_00444BA4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00444B90 push eax; ret 6_2_00444BCC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00448E74 push eax; ret 6_2_00448E81
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0042CF44 push ebx; retf 0042h6_2_0042CF49
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00412341 push ecx; ret 13_2_00412351
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00412360 push eax; ret 13_2_00412374
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00412360 push eax; ret 13_2_0041239C
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeFile created: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeJump to dropped file
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.urlJump to behavior
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjyxibeifbdmock.eu.urlJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00443A61
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
              Tries to delay execution (extensive OutputDebugStringW loop)Show sources
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeSection loaded: OutputDebugStringW count: 1982
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeSection loaded: OutputDebugStringW count: 1982
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: RegAsm.exe, 00000001.00000002.605985687.00000000033C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.605786252.0000000002D23000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040978A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6532Thread sleep count: 173 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6532Thread sleep time: -173000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exe TID: 6832Thread sleep time: -31025s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6904Thread sleep count: 163 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6904Thread sleep time: -163000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeCode function: 0_2_00A3781C FindFirstFileExA,0_2_00A3781C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,2_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,2_2_00408CAC
              Source: C:\Users\user\AppData\Roaming\ezocxcvggg\xjyxibeifbdmock.exeCode function: 4_2_0015781C FindFirstFileExA,4_2_0015781C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_0040938F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,6_2_00408CAC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,13_2_0040702D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0041829C memset,GetSystemInfo,2_2_0041829C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Jump to behavior
              Source: C:\Users\user\Desktop\b15023b1855da1cf5213b061dc626cc2.exeProcess information queried: ProcessInformationJump to behavior